From 6ec4bea24dceb57053d9c104b75eab3a1affeadf Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=A9mie=20Galarneau?= Date: Wed, 11 Sep 2019 12:18:15 -0400 Subject: [PATCH] lttng-ctl: fix: lttng_data_pending confuses communication status MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit lttng_ctl_ask_sessiond can return a positive value even though it failed to receive the variable length payload of a session message reply. In this case, lttng_ctl_ask_sessiond ends up calling into lttng_ctl_ask_sessiond_fds_varlen() which will return the (negated) error code returned by the session daemon if it was not LTTNG_OK. The peer could return anything here, which lttng_data_pending will end up interpreting as the length of the variable data that was received. In this case, if the sessiond returns '-1', '1' will be returned to lttng_data_pending, which it will interpret as being the length of the 'data_pending' byte flag. It will then dereference 'pending', which is NULL, and (most likely) crash. Check for NULL on top of checking for the return code. This communication layer needs love as much as it needs a bulldozer. Signed-off-by: Jérémie Galarneau --- src/lib/lttng-ctl/lttng-ctl.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/lib/lttng-ctl/lttng-ctl.c b/src/lib/lttng-ctl/lttng-ctl.c index 870813901..1a6e75acf 100644 --- a/src/lib/lttng-ctl/lttng-ctl.c +++ b/src/lib/lttng-ctl/lttng-ctl.c @@ -2229,6 +2229,10 @@ int lttng_data_pending(const char *session_name) /* Unexpected payload size */ ret = -LTTNG_ERR_INVALID; goto end; + } else if (!pending) { + /* Internal error. */ + ret = -LTTNG_ERR_UNK; + goto end; } ret = (int) *pending; -- 2.34.1