projects / mech_eap.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: dacf605)
D-Bus: Fix byte array dict entry parser in out-of-memory case
authorJouni Malinen <j@w1.fi>
Tue, 6 Jan 2015 14:45:16 +0000 (16:45 +0200)
committerJouni Malinen <j@w1.fi>
Wed, 7 Jan 2015 11:19:00 +0000 (13:19 +0200)
entry->bytearray_value was left to point to freed memory in case
os_realloc_array() failed. This resulted in the following
wpa_dbus_dict_entry_clear() trying to free an already freed memory area.

Signed-off-by: Jouni Malinen <j@w1.fi>
wpa_supplicant/dbus/dbus_dict_helpers.c patch | blob | history

diff --git a/wpa_supplicant/dbus/dbus_dict_helpers.c b/wpa_supplicant/dbus/dbus_dict_helpers.c
index 317661a..c9615ad 100644 (file)
--- a/wpa_supplicant/dbus/dbus_dict_helpers.c
+++ b/wpa_supplicant/dbus/dbus_dict_helpers.c
@@ -700,7 +700,6 @@ static dbus_bool_t _wpa_dbus_dict_entry_get_byte_array(
        if (!buffer)
                return FALSE;
 
-       entry->bytearray_value = buffer;
        entry->array_len = 0;
        while (dbus_message_iter_get_arg_type(iter) == DBUS_TYPE_BYTE) {
                char byte;
@@ -718,13 +717,13 @@ static dbus_bool_t _wpa_dbus_dict_entry_get_byte_array(
                        }
                        buffer = nbuffer;
                }
-               entry->bytearray_value = buffer;
 
                dbus_message_iter_get_basic(iter, &byte);
-               entry->bytearray_value[count] = byte;
+               buffer[count] = byte;
                entry->array_len = ++count;
                dbus_message_iter_next(iter);
        }
+       entry->bytearray_value = buffer;
        wpa_hexdump_key(MSG_MSGDUMP, "dbus: byte array contents",
                        entry->bytearray_value, entry->array_len);
 
Moonshot GSS-API mechanism