jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

D-Bus: Fix byte array dict entry parser in out-of-memory case

Browse source 
entry->bytearray_value was left to point to freed memory in case
os_realloc_array() failed. This resulted in the following
wpa_dbus_dict_entry_clear() trying to free an already freed memory area.

Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
Jouni Malinen 2015-01-06 16:45:16 +02:00
parent dacf605812
commit c61bc23aa2
1 changed files with 2 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
wpa_supplicant/dbus/dbus_dict_helpers.c
View file

@ -700,7 +700,6 @@ static dbus_bool_t _wpa_dbus_dict_entry_get_byte_array(
if (!buffer) if (!buffer)
return FALSE; return FALSE;
entry->bytearray_value = buffer;
entry->array_len = 0; entry->array_len = 0;
while (dbus_message_iter_get_arg_type(iter) == DBUS_TYPE_BYTE) { while (dbus_message_iter_get_arg_type(iter) == DBUS_TYPE_BYTE) {
char byte; char byte;
@ -718,13 +717,13 @@ static dbus_bool_t _wpa_dbus_dict_entry_get_byte_array(
} }
buffer = nbuffer; buffer = nbuffer;
} }
entry->bytearray_value = buffer;
dbus_message_iter_get_basic(iter, &byte); dbus_message_iter_get_basic(iter, &byte);
entry->bytearray_value[count] = byte; buffer[count] = byte;
entry->array_len = ++count; entry->array_len = ++count;
dbus_message_iter_next(iter); dbus_message_iter_next(iter);
} }
entry->bytearray_value = buffer;
wpa_hexdump_key(MSG_MSGDUMP, "dbus: byte array contents", wpa_hexdump_key(MSG_MSGDUMP, "dbus: byte array contents",
entry->bytearray_value, entry->array_len); entry->bytearray_value, entry->array_len);