Browse code

core: xavp: Fix xavp_insert to prevent corrupted linked lists

- Inserting data at a given index will pad the xavp with XTYPE_NULL entries
- Inserting data will replace a NULL entry if present

Hugh Waite authored on 08/10/2014 18:01:20
Showing 1 changed files
... ...
@@ -694,44 +694,48 @@ sr_xavp_t *xavp_clone_level_nodata(sr_xavp_t *xold)
694 694
 int xavp_insert(sr_xavp_t *xavp, int idx, sr_xavp_t **list)
695 695
 {
696 696
 	sr_xavp_t *crt = 0;
697
-	sr_xavp_t *fst = 0;
698 697
 	sr_xavp_t *lst = 0;
699 698
 	sr_xval_t val;
700 699
 	int n = 0;
701 700
 	int i = 0;
702 701
 
703
-	if(idx==0)
702
+	crt = xavp_get_internal(&xavp->name, list, 0, NULL);
703
+
704
+	if (idx == 0 && (!crt || crt->val.type != SR_XTYPE_NULL))
704 705
 		return xavp_add(xavp, list);
705 706
 
706
-	crt = xavp_get_internal(&xavp->name, list, 0, 0);
707 707
 	while(crt!=NULL && n<idx) {
708 708
 		lst = crt;
709 709
 		n++;
710 710
 		crt = xavp_get_next(lst);
711 711
 	}
712
+
713
+	if (crt && crt->val.type == SR_XTYPE_NULL) {
714
+		xavp->next = crt->next;
715
+		crt->next = xavp;
716
+
717
+		xavp_rm(crt, list);
718
+		return 0;
719
+	}
720
+
712 721
 	memset(&val, 0, sizeof(sr_xval_t));
713 722
 	val.type = SR_XTYPE_NULL;
714 723
 	for(i=0; i<idx-n; i++) {
715
-		crt = xavp_add_value(&xavp->name, &val, list);
724
+		crt = xavp_new_value(&xavp->name, &val);
716 725
 		if(crt==NULL)
717 726
 			return -1;
718
-		if(fst==NULL)
719
-			fst = crt;
720
-		if(lst==NULL) {
721
-			if(xavp_add(crt, list)<0)
722
-				return -1;
727
+		if (lst == NULL) {
728
+			crt->next = *list;
729
+			*list = crt;
723 730
 		} else {
724 731
 			crt->next = lst->next;
725 732
 			lst->next = crt;
726 733
 		}
734
+		lst = crt;
727 735
 	}
728 736
 
729
-	if(fst==NULL) {
730
-		return xavp_add(xavp, list);
731
-	} else {
732
-		xavp->next = fst->next;
733
-		fst->next = xavp;
734
-	}
737
+	xavp->next = lst->next;
738
+	lst->next = xavp;
735 739
 
736 740
 	return 0;
737 741
 }