diff options
author | Коренберг Марк <mark@ideco.ru> | 2015-07-02 09:59:55 (GMT) |
---|---|---|
committer | Thomas Haller <thaller@redhat.com> | 2015-07-10 08:06:21 (GMT) |
commit | e29c979e885ab3f16ab6b2b26a33bc079bb39c88 (patch) | |
tree | edd3d25f582d481c6a93443c484b371b121998a8 | |
parent | 54e4ca788614e427a9686fea26c1cc4729d8811c (diff) | |
download | libnl-e29c979e885ab3f16ab6b2b26a33bc079bb39c88.zip libnl-e29c979e885ab3f16ab6b2b26a33bc079bb39c88.tar.gz libnl-e29c979e885ab3f16ab6b2b26a33bc079bb39c88.tar.bz2 |
nf: fix potential bug in nfnl_queue_msg_set_payload() when malloc() failed
Suppose the case:
1. message have already some payload
2. malloc() failed
In that case:
1. msg->queue_msg_payload become NULL
2. msg->queue_msg_payload_len stay non-zero
Now when malloc() error occurs, nothing changed.
https://github.com/thom311/libnl/pull/83
-rw-r--r-- | lib/netfilter/queue_msg_obj.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/lib/netfilter/queue_msg_obj.c b/lib/netfilter/queue_msg_obj.c index b3b49ef..98f9a99 100644 --- a/lib/netfilter/queue_msg_obj.c +++ b/lib/netfilter/queue_msg_obj.c @@ -405,12 +405,15 @@ const uint8_t *nfnl_queue_msg_get_hwaddr(const struct nfnl_queue_msg *msg, int nfnl_queue_msg_set_payload(struct nfnl_queue_msg *msg, uint8_t *payload, int len) { - free(msg->queue_msg_payload); - msg->queue_msg_payload = malloc(len); - if (!msg->queue_msg_payload) + void *new_payload = malloc(len); + + if (new_payload == NULL) return -NLE_NOMEM; + memcpy(new_payload, payload, len); + + free(msg->queue_msg_payload); - memcpy(msg->queue_msg_payload, payload, len); + msg->queue_msg_payload = new_payload; msg->queue_msg_payload_len = len; msg->ce_mask |= QUEUE_MSG_ATTR_PAYLOAD; return 0; |