diff options
author | Patrick Ohly <patrick.ohly@intel.com> | 2011-04-20 14:20:46 +0200 |
---|---|---|
committer | Patrick Ohly <patrick.ohly@intel.com> | 2011-04-20 14:20:46 +0200 |
commit | e3ccba5d1c7d53ee08e3a2f7cc83bc387dc4d39d (patch) | |
tree | 6cebf497c11635d68d1862f5b21d02f514a3cc00 /src/syncevo/LocalTransportAgent.cpp | |
parent | 162568b064e2a21991afe44e788d7f5e7c215569 (diff) |
local sync: fixed potential NULL pointer read
The following code crashed if m_length was read after executing
the release() calls:
realloc(buffer.m_message.release(), buffer.m_message->m_length)
That's because release() resets the m_message pointer. It seems that
clang orders execution like that whereas gcc doesn't.
Diffstat (limited to 'src/syncevo/LocalTransportAgent.cpp')
-rw-r--r-- | src/syncevo/LocalTransportAgent.cpp | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/src/syncevo/LocalTransportAgent.cpp b/src/syncevo/LocalTransportAgent.cpp index b4a3671a..a31f9916 100644 --- a/src/syncevo/LocalTransportAgent.cpp +++ b/src/syncevo/LocalTransportAgent.cpp @@ -637,9 +637,11 @@ TransportAgent::Status LocalTransportAgent::readMessage(int fd, Buffer &buffer, "Message Buffer"); } else if (buffer.m_used >= sizeof(Message) && buffer.m_message->m_length > buffer.m_size) { - buffer.m_message.set(static_cast<Message *>(realloc(buffer.m_message.release(), buffer.m_message->m_length)), + // copy before (temporarily) freeing memory + size_t newsize = buffer.m_message->m_length; + buffer.m_message.set(static_cast<Message *>(realloc(buffer.m_message.release(), newsize)), "Message Buffer"); - buffer.m_size = buffer.m_message->m_length; + buffer.m_size = newsize; } SE_LOG_DEBUG(NULL, NULL, "%s: recv %ld bytes", m_pid ? "parent" : "child", |