Fix: lttng-snapshot: use after free of max size argument

[lttng-tools.git] / src / lib / lttng-ctl / lttng-ctl.cpp

diff --git a/src/lib/lttng-ctl/lttng-ctl.cpp b/src/lib/lttng-ctl/lttng-ctl.cpp
index c5d47ebdc53d66b2182a6656b2ecb955fdf91942..3d0c8b412cc7297914051a3417831d417857bf28 100644 (file)
--- a/src/lib/lttng-ctl/lttng-ctl.cpp
+++ b/src/lib/lttng-ctl/lttng-ctl.cpp
@@ -266,7 +266,7 @@ int lttng_check_tracing_group(void)
        }
 
        /* Alloc group list of the right size */
-       grp_list = (gid_t *) zmalloc(grp_list_size * sizeof(gid_t));
+       grp_list = calloc<gid_t>(grp_list_size);
        if (!grp_list) {
                PERROR("malloc");
                goto end;
@@ -500,7 +500,7 @@ static int recv_sessiond_optional_data(size_t len, void **user_buf,
        size_t *user_len)
 {
        int ret = 0;
-       void *buf = NULL;
+       char *buf = NULL;
 
        if (len) {
                if (!user_len) {
@@ -508,7 +508,7 @@ static int recv_sessiond_optional_data(size_t len, void **user_buf,
                        goto end;
                }
 
-               buf = zmalloc(len);
+               buf = zmalloc<char>(len);
                if (!buf) {
                        ret = -ENOMEM;
                        goto end;
@@ -729,7 +729,7 @@ struct lttng_handle *lttng_create_handle(const char *session_name,
        int ret;
        struct lttng_handle *handle = NULL;
 
-       handle = (lttng_handle *) zmalloc(sizeof(struct lttng_handle));
+       handle = zmalloc<lttng_handle>();
        if (handle == NULL) {
                PERROR("malloc handle");
                goto end;
@@ -1576,13 +1576,13 @@ int lttng_enable_channel(struct lttng_handle *handle,
        /* Populate the channel extended attribute if necessary. */
        if (!channel->attr.extended.ptr) {
                struct lttng_channel_extended *extended =
-                               (struct lttng_channel_extended *) zmalloc(
-                                               sizeof(*extended));
+                               zmalloc<lttng_channel_extended>();
 
                if (!extended) {
                        ret = -LTTNG_ERR_NOMEM;
                        goto end;
                }
+
                lttng_channel_set_default_extended_attr(
                                &handle->domain, extended);
                channel->attr.extended.ptr = extended;
@@ -1747,13 +1747,13 @@ int lttng_list_tracepoint_fields(struct lttng_handle *handle,
        unsigned int nb_event_fields = 0;
        struct lttng_payload reply;
 
+       lttng_payload_init(&reply);
+
        if (handle == NULL) {
                ret = -LTTNG_ERR_INVALID;
                goto end;
        }
 
-       lttng_payload_init(&reply);
-
        memset(&lsm, 0, sizeof(lsm));
        lsm.cmd_type = LTTNG_LIST_TRACEPOINT_FIELDS;
        COPY_DOMAIN_PACKED(lsm.domain, handle->domain);
@@ -1807,6 +1807,7 @@ int lttng_list_tracepoint_fields(struct lttng_handle *handle,
        ret = nb_event_fields;
 
 end:
+       lttng_payload_reset(&reply);
        return ret;
 }