Browse code

- ctl overflow check fix, take 2 (previous fix breaks error replies)

Andrei Pelinescu-Onciul authored on 10/09/2007 15:26:44
Showing 1 changed files
... ...
@@ -218,8 +218,8 @@ inline static int binrpc_add_tag(struct binrpc_pkt* pkt, int type, int end)
218 218
 
219 219
 /*  writes a minimal int, returns the new offset and sets
220 220
  * len to the number of bytes written (<=4)
221
- * to check for oveflow use: returned_value>=end
222
- * or returned_value-p < *len && *len!=0
221
+ * to check for oveflow use:  returned_value-p != *len
222
+ * (Note: if *len==0 using the test above succeeds even if p>=end)
223 223
  */
224 224
 inline static unsigned char* binrpc_write_int(	unsigned char* p,
225 225
 												unsigned char* end,
... ...
@@ -347,7 +347,8 @@ inline static int binrpc_add_int_type(struct binrpc_pkt* pkt, int i, int type)
347 347
 	int size;
348 348
 	
349 349
 	p=binrpc_write_int(pkt->crt+1, pkt->end, i, &size);
350
-	if (p>=pkt->end) goto error_len;
350
+	if ((pkt->crt>=pkt->end) || ((int)(p-pkt->crt-1)!=size))
351
+		goto error_len;
351 352
 	*(pkt->crt)=(size<<4) | type;
352 353
 	pkt->crt=p;
353 354
 	return 0;
... ...
@@ -394,12 +395,14 @@ inline static int binrpc_add_str_mark(struct binrpc_pkt* pkt, int type,
394 395
 	int size;
395 396
 	unsigned char* p;
396 397
 	
398
+	if (pkt->crt>=pkt->end) goto error_len;
397 399
 	if (l<8){
398 400
 		size=l;
399 401
 		p=pkt->crt+1;
400 402
 	}else{ /* we need a separate len */
401 403
 		p=binrpc_write_int(pkt->crt+1, pkt->end, l, &size);
402
-		if (p>=pkt->end) goto error_len;
404
+		if (((int)(p-pkt->crt-1)!=size))
405
+			goto error_len;
403 406
 		size|=8; /* mark it as having external len  */
404 407
 	}
405 408
 	*(pkt->crt)=(size)<<4|type;
... ...
@@ -430,7 +433,7 @@ inline static int binrpc_add_str_type(struct binrpc_pkt* pkt, char* s, int len,
430 433
 		 *  caught by the next check */
431 434
 		size|=8; /* mark it as having external len  */
432 435
 	}
433
-	if ((p+l)>=pkt->end) goto error_len;
436
+	if ((p+l)>pkt->end) goto error_len;
434 437
 	*(pkt->crt)=(size)<<4|type;
435 438
 	memcpy(p, s, len);
436 439
 	if (zero_term) p[len]=0;