projects / lttng-tools.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix: unchecked buffer size for communication header
[lttng-tools.git] / src / common / tracker.c
diff --git a/src/common/tracker.c b/src/common/tracker.c
index 532a924b56a772b3d55d11e611028ebf7267a7fe..1c50d9d7911b8fcd2a410f55893b48669f48640a 100644 (file)
--- a/src/common/tracker.c
+++ b/src/common/tracker.c
@@ -85,6 +85,7 @@ enum lttng_error_code process_attr_value_from_comm(
                name = strdup(value_view->data);
                if (!name) {
                        ret = LTTNG_ERR_NOMEM;
+                       goto error;
                }
        }
 
@@ -102,10 +103,12 @@ enum lttng_error_code process_attr_value_from_comm(
        }
 
        /* Only expect a payload for name value types. */
-       if (is_value_type_name(value_type) && value_view->size == 0) {
+       if (is_value_type_name(value_type) &&
+                       (!value_view || value_view->size == 0)) {
                ret = LTTNG_ERR_INVALID_PROTOCOL;
                goto error;
-       } else if (!is_value_type_name(value_type) && value_view->size != 0) {
+       } else if (!is_value_type_name(value_type) && value_view &&
+                       value_view->size != 0) {
                ret = LTTNG_ERR_INVALID_PROTOCOL;
                goto error;
        }
@@ -173,6 +176,7 @@ enum lttng_error_code process_attr_value_from_comm(
 
        *_value = value;
        value = NULL;
+       free(name);
        return LTTNG_OK;
 error:
        free(name);
@@ -341,9 +345,10 @@ ssize_t lttng_process_attr_values_create_from_buffer(
 
        header_view = lttng_buffer_view_from_view(
                        buffer_view, 0, sizeof(*header));
-       if (!header_view.data) {
+       if (!lttng_buffer_view_is_valid(&header_view)) {
                goto error;
        }
+
        offset = header_view.size;
        header = (typeof(header)) header_view.data;
 
@@ -366,7 +371,7 @@ ssize_t lttng_process_attr_values_create_from_buffer(
 
                value_view = lttng_buffer_view_from_view(
                                buffer_view, offset, sizeof(*value_comm));
-               if (!value_view.data) {
+               if (!lttng_buffer_view_is_valid(&value_view)) {
                        goto error;
                }
 
@@ -378,8 +383,13 @@ ssize_t lttng_process_attr_values_create_from_buffer(
                        value_name_view = lttng_buffer_view_from_view(
                                        buffer_view, offset,
                                        value_comm->value.name_len);
+                       if (!lttng_buffer_view_is_valid(&value_name_view)) {
+                               goto error;
+                       }
+
                        offset += value_name_view.size;
                }
+
                ret_code = process_attr_value_from_comm(domain, process_attr,
                                type, &value_comm->value.integral,
                                &value_name_view, &value);
LTTng 2.0 tools and control repository
This page took 0.0244 seconds and 4 git commands to generate.