Skip to content

Commit

Permalink
Adding missing NULL pointer checks after malloc to fix Bug#699946, th…
Browse files Browse the repository at this point in the history 
…anks to review by dchan.
  • Loading branch information
@ozten
ozten committed Nov 7, 2011
1 parent f29213f commit 275a284
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 10 deletions.
30 changes: 21 additions & 9 deletions plugins/browserid.c
View file
Expand Up @@ -195,9 +195,16 @@ static int browserid_server_mech_step(void *conn_context,
} else {
syslog(LOG_DEBUG, "No session hit, using verifier");
browserid_response = malloc(sizeof(struct browserid_response_t));
if (browserid_response == NULL) {
MEMERROR(sparams->utils);
return SASL_NOMEM;
}

browserid_verify(sparams->utils, browserid_response,
assertion, audience_copy);
result = browserid_verify(sparams->utils, browserid_response,
assertion, audience_copy);
if (result != 1) {
return result;
}

if (strcasecmp(browserid_response->status, "okay") == 0) {
syslog(LOG_DEBUG, "Yes, we're all good! %s %s %s until %llu",
Expand All @@ -206,18 +213,18 @@ static int browserid_server_mech_step(void *conn_context,
browserid_response->issuer,
browserid_response->expires);

if (strcasecmp(browserid_response->audience, audience_copy) != 0) {
syslog(LOG_ERR, "BAD Audience, expected [%s] != [%s]",
audience_copy, browserid_response->audience);
return SASL_BADAUTH;
}
if (strcasecmp(browserid_response->audience, audience_copy) != 0) {
syslog(LOG_ERR, "BAD Audience, expected [%s] != [%s]",
audience_copy, browserid_response->audience);
return SASL_BADAUTH;
}

create_session(sparams->utils, assertion,
browserid_response->email);
result = sparams->canon_user(sparams->utils->conn,
browserid_response->email, 0,
SASL_CU_AUTHID | SASL_CU_AUTHZID,
oparams);
SASL_CU_AUTHID | SASL_CU_AUTHZID,
oparams);

_transmit_email(sparams, serverout, serveroutlen, browserid_response->email);

Expand Down Expand Up @@ -457,6 +464,11 @@ static int browserid_client_mech_step1(void *conn_context,
p += oparams->alen;

p = params->utils->malloc(*clientoutlen);
if (p == NULL) {
MEMERROR( params->utils );
return SASL_NOMEM;
}

strcpy(p, browser_assertion);
p += strlen(browser_assertion) + 1;
strcpy(p, browser_audience);
Expand Down
31 changes: 30 additions & 1 deletion plugins/verifier.c
View file
Expand Up @@ -7,8 +7,12 @@
#include <curl/curl.h>
#include <sasl/sasl.h> /* saslplug.h should have included this ?!? */
#include <sasl/saslplug.h>
#include "plugin_common.h"

#include "yajl/yajl_tree.h"



#include <verifier.h>

#define JSON_BUFFER 256
Expand All @@ -18,6 +22,7 @@ struct json_response {
char *memory;
size_t size;
size_t realsize;
int memerr;
};

/** Callback function for streaming CURL response */
Expand All @@ -29,9 +34,19 @@ static size_t write_cb(void *contents, size_t size, size_t nmemb, void *userp)
if (mem->size + realsize >= mem->realsize) {
mem->realsize = mem->size + realsize + JSON_BUFFER;
void *tmp = malloc(mem->size + realsize + JSON_BUFFER);
if (tmp == NULL) {
syslog(LOG_ERR, "Unable to grow json_response tmp buffer");
mem->memerr = 1;
return realsize;
}
memcpy(tmp, mem->memory, mem->size);
free(mem->memory);
mem->memory = malloc(mem->size + realsize + JSON_BUFFER);
if (mem->memory == NULL) {
syslog(LOG_ERR, "Unable to grow json_response memory slot");
mem->memerr = 1;
return realsize;
}
memcpy(mem->memory, tmp, mem->size);
free(tmp);
}
Expand Down Expand Up @@ -78,6 +93,10 @@ int browserid_verify(const sasl_utils_t *utils,

bid_body = malloc(strlen(bid_body_fmt) +
strlen(assertion) + strlen(audience));
if (bid_body == NULL) {
MEMERROR( utils );
return SASL_NOMEM;
}
sprintf(bid_body, bid_body_fmt, assertion, audience);
syslog(LOG_INFO, "bid_body = %d %s", strlen(bid_body), bid_body);

Expand Down Expand Up @@ -112,15 +131,25 @@ int browserid_verify(const sasl_utils_t *utils,
write_cb))
syslog(LOG_ERR, "curl setopt write fn failed");

json_text.memory = malloc(JSON_BUFFER);
json_text.size = 0;
json_text.memerr = 0;
json_text.realsize = JSON_BUFFER;
json_text.memory = malloc(JSON_BUFFER);
if (json_text.memory == NULL) {
MEMERROR( utils );
return SASL_NOMEM;
}

if (0 != curl_easy_setopt(handle, CURLOPT_WRITEDATA, &json_text))
syslog(LOG_ERR, "curl setopt writedata failed");

code = curl_easy_perform(handle);

if (json_text.memerr == 1) {
MEMERROR( utils );
return SASL_NOMEM;
}

if (code == 0) {
parse(json_text.memory, browserid_response);
} else {
Expand Down

0 comments on commit 275a284

Please sign in to comment.