[CORE] Add defense code to ogs_pkbuf_copy (#2032)

Added a defense code to prevent NF crash when ogs_pkbuf_copy() size is 0.
2023-01-29 16:45:42 +09:00 · 2023-01-29 16:45:42 +09:00 · 131ecb4a44
parent b7386284a7
commit 131ecb4a44
2 changed files with 39 additions and 8 deletions
--- a/lib/core/ogs-pkbuf.c
+++ b/lib/core/ogs-pkbuf.c
@ -317,11 +317,21 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line)
 {
 #if OGS_USE_TALLOC
    ogs_pkbuf_t *newbuf;
+#else
+    ogs_pkbuf_pool_t *pool = NULL;
+    ogs_pkbuf_t *newbuf = NULL;
+#endif
    int size = 0;

    ogs_assert(pkbuf);
    size = pkbuf->end - pkbuf->head;
-    ogs_assert(size > 0);
+    if (size <= 0) {
+        ogs_error("Invalid argument[size=%d, head=%p, end=%p] in (%s)",
+                size, pkbuf->head, pkbuf->end, file_line);
+        return NULL;
+    }
+
+#if OGS_USE_TALLOC
    newbuf = ogs_pkbuf_alloc_debug(NULL, size, file_line);
    if (!newbuf) {
        ogs_error("ogs_pkbuf_alloc() failed [size=%d]", size);
@ -339,10 +349,6 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line)

    return newbuf;
 #else
-    ogs_pkbuf_pool_t *pool = NULL;
-    ogs_pkbuf_t *newbuf = NULL;
-
-    ogs_assert(pkbuf);
    pool = pkbuf->pool;
    ogs_assert(pool);

@ -350,7 +356,7 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line)

    ogs_pool_alloc(&pool->pkbuf, &newbuf);
    if (!newbuf) {
-        ogs_error("ogs_pkbuf_copy() failed");
+        ogs_error("ogs_pkbuf_copy() failed [size=%d]", size);
        ogs_thread_mutex_unlock(&pool->mutex);
        return NULL;
    }
--- a/lib/sbi/message.c
+++ b/lib/sbi/message.c
@ -2373,7 +2373,18 @@ static int parse_multipart(
            http->part[http->num_of_part].pkbuf =
                ogs_pkbuf_alloc(NULL, data.part[i].content_length);
            if (!(http->part[http->num_of_part].pkbuf)) {
-                ogs_error("ogs_pkbuf_alloc() failed");
+                ogs_error("ogs_pkbuf_copy() failed");
+
+                if (data.part[i].content_id)
+                    ogs_free(data.part[i].content_id);
+                if (data.part[i].content_type)
+                    ogs_free(data.part[i].content_type);
+                if (data.part[i].content)
+                    ogs_free(data.part[i].content);
+
+                if (data.header_field)
+                    ogs_free(data.header_field);
+
                return OGS_ERROR;
            }
            ogs_pkbuf_put_data(http->part[http->num_of_part].pkbuf,
@ -2386,7 +2397,21 @@ static int parse_multipart(
            message->part[message->num_of_part].pkbuf =
                ogs_pkbuf_copy(http->part[http->num_of_part].pkbuf);
            if (!(message->part[http->num_of_part].pkbuf)) {
-                ogs_error("ogs_pkbuf_alloc() failed");
+                ogs_error("ogs_pkbuf_copy() failed");
+
+                if (data.part[i].content_id)
+                    ogs_free(data.part[i].content_id);
+                if (data.part[i].content_type)
+                    ogs_free(data.part[i].content_type);
+                if (data.part[i].content)
+                    ogs_free(data.part[i].content);
+
+                if (data.header_field)
+                    ogs_free(data.header_field);
+
+                if (http->part[http->num_of_part].pkbuf)
+                    ogs_pkbuf_free(http->part[http->num_of_part].pkbuf);
+
                return OGS_ERROR;
            }