projects / lttng-tools.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix: unchecked buffer size for communication header
[lttng-tools.git] / src / common / actions / snapshot-session.c
diff --git a/src/common/actions/snapshot-session.c b/src/common/actions/snapshot-session.c
index 7576838650609b245f25f202ca491b3084797d50..8b23d58e70aafb81e09893e37c02dc8b6a3199c6 100644 (file)
--- a/src/common/actions/snapshot-session.c
+++ b/src/common/actions/snapshot-session.c
@@ -211,18 +211,26 @@ ssize_t lttng_action_snapshot_session_create_from_payload(
                struct lttng_action **p_action)
 {
        ssize_t consumed_len;
                struct lttng_action **p_action)
 {
        ssize_t consumed_len;
-       const struct lttng_action_snapshot_session_comm *comm;
        const char *variable_data;
        struct lttng_action *action;
        enum lttng_action_status status;
        struct lttng_snapshot_output *snapshot_output = NULL;
        const char *variable_data;
        struct lttng_action *action;
        enum lttng_action_status status;
        struct lttng_snapshot_output *snapshot_output = NULL;
+       const struct lttng_action_snapshot_session_comm *comm;
+       const struct lttng_payload_view snapshot_session_comm_view =
+                       lttng_payload_view_from_view(
+                               view, 0, sizeof(*comm));
 
        action = lttng_action_snapshot_session_create();
        if (!action) {
                goto error;
        }
 
 
        action = lttng_action_snapshot_session_create();
        if (!action) {
                goto error;
        }
 
-       comm = (typeof(comm)) view->buffer.data;
+       if (!lttng_payload_view_is_valid(&snapshot_session_comm_view)) {
+               /* Payload not large enough to contain the header. */
+               goto error;
+       }
+
+       comm = (typeof(comm)) snapshot_session_comm_view.buffer.data;
        variable_data = (const char *) &comm->data;
 
        consumed_len = sizeof(struct lttng_action_snapshot_session_comm);
        variable_data = (const char *) &comm->data;
 
        consumed_len = sizeof(struct lttng_action_snapshot_session_comm);
@@ -249,7 +257,7 @@ ssize_t lttng_action_snapshot_session_create_from_payload(
                        lttng_payload_view_from_view(view, consumed_len,
                                comm->snapshot_output_len);
 
                        lttng_payload_view_from_view(view, consumed_len,
                                comm->snapshot_output_len);
 
-               if (!snapshot_output_buffer_view.buffer.data) {
+               if (!lttng_payload_view_is_valid(&snapshot_output_buffer_view)) {
                        ERR("Failed to create buffer view for snapshot output.");
                        goto error;
                }
                        ERR("Failed to create buffer view for snapshot output.");
                        goto error;
                }
LTTng 2.0 tools and control repository
This page took 0.023424 seconds and 4 git commands to generate.