From 050cbdec4b2a01004a4ece4792d518dfd9d524e5 Mon Sep 17 00:00:00 2001 From: Simon McVittie Date: Mon, 6 Nov 2017 19:09:51 +0000 Subject: [PATCH 3/6] do_check_nonce: Don't free uninitialized memory on OOM If _dbus_string_init() fails, it doesn't guarantee that the string is initialized to anything in particular. Worse, if _dbus_string_init (&buffer) fails, p would never have been initialized at all, due to the use of the short-circuiting || operator. Signed-off-by: Simon McVittie Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103597 --- dbus/dbus-nonce.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/dbus/dbus-nonce.c b/dbus/dbus-nonce.c index bc3286cc..49f87369 100644 --- a/dbus/dbus-nonce.c +++ b/dbus/dbus-nonce.c @@ -43,6 +43,20 @@ do_check_nonce (DBusSocket fd, const DBusString *nonce, DBusError *error) nleft = 16; + /* This is a trick to make it safe to call _dbus_string_free on these + * strings during error unwinding, even if allocating memory for them + * fails. A constant DBusString is considered to be valid to "free", + * even though there is nothing to free (of course the free operation + * is trivial, because it does not own its own buffer); but + * unlike a mutable DBusString, initializing a constant DBusString + * cannot fail. + * + * We must successfully re-initialize the strings to be mutable before + * writing to them, of course. + */ + _dbus_string_init_const (&buffer, ""); + _dbus_string_init_const (&p, ""); + if ( !_dbus_string_init (&buffer) || !_dbus_string_init (&p) ) { dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL); -- 2.15.0