From 131ecb4a449644a7f24605286dea686be7295c39 Mon Sep 17 00:00:00 2001 From: Sukchan Lee Date: Sun, 29 Jan 2023 16:45:42 +0900 Subject: [PATCH] [CORE] Add defense code to ogs_pkbuf_copy (#2032) Added a defense code to prevent NF crash when ogs_pkbuf_copy() size is 0. --- lib/core/ogs-pkbuf.c | 18 ++++++++++++------ lib/sbi/message.c | 29 +++++++++++++++++++++++++++-- 2 files changed, 39 insertions(+), 8 deletions(-) diff --git a/lib/core/ogs-pkbuf.c b/lib/core/ogs-pkbuf.c index d5843eeac..562088f1f 100644 --- a/lib/core/ogs-pkbuf.c +++ b/lib/core/ogs-pkbuf.c @@ -317,11 +317,21 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line) { #if OGS_USE_TALLOC ogs_pkbuf_t *newbuf; +#else + ogs_pkbuf_pool_t *pool = NULL; + ogs_pkbuf_t *newbuf = NULL; +#endif int size = 0; ogs_assert(pkbuf); size = pkbuf->end - pkbuf->head; - ogs_assert(size > 0); + if (size <= 0) { + ogs_error("Invalid argument[size=%d, head=%p, end=%p] in (%s)", + size, pkbuf->head, pkbuf->end, file_line); + return NULL; + } + +#if OGS_USE_TALLOC newbuf = ogs_pkbuf_alloc_debug(NULL, size, file_line); if (!newbuf) { ogs_error("ogs_pkbuf_alloc() failed [size=%d]", size); @@ -339,10 +349,6 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line) return newbuf; #else - ogs_pkbuf_pool_t *pool = NULL; - ogs_pkbuf_t *newbuf = NULL; - - ogs_assert(pkbuf); pool = pkbuf->pool; ogs_assert(pool); @@ -350,7 +356,7 @@ ogs_pkbuf_t *ogs_pkbuf_copy_debug(ogs_pkbuf_t *pkbuf, const char *file_line) ogs_pool_alloc(&pool->pkbuf, &newbuf); if (!newbuf) { - ogs_error("ogs_pkbuf_copy() failed"); + ogs_error("ogs_pkbuf_copy() failed [size=%d]", size); ogs_thread_mutex_unlock(&pool->mutex); return NULL; } diff --git a/lib/sbi/message.c b/lib/sbi/message.c index 19dbf40ca..5bbac1853 100644 --- a/lib/sbi/message.c +++ b/lib/sbi/message.c @@ -2373,7 +2373,18 @@ static int parse_multipart( http->part[http->num_of_part].pkbuf = ogs_pkbuf_alloc(NULL, data.part[i].content_length); if (!(http->part[http->num_of_part].pkbuf)) { - ogs_error("ogs_pkbuf_alloc() failed"); + ogs_error("ogs_pkbuf_copy() failed"); + + if (data.part[i].content_id) + ogs_free(data.part[i].content_id); + if (data.part[i].content_type) + ogs_free(data.part[i].content_type); + if (data.part[i].content) + ogs_free(data.part[i].content); + + if (data.header_field) + ogs_free(data.header_field); + return OGS_ERROR; } ogs_pkbuf_put_data(http->part[http->num_of_part].pkbuf, @@ -2386,7 +2397,21 @@ static int parse_multipart( message->part[message->num_of_part].pkbuf = ogs_pkbuf_copy(http->part[http->num_of_part].pkbuf); if (!(message->part[http->num_of_part].pkbuf)) { - ogs_error("ogs_pkbuf_alloc() failed"); + ogs_error("ogs_pkbuf_copy() failed"); + + if (data.part[i].content_id) + ogs_free(data.part[i].content_id); + if (data.part[i].content_type) + ogs_free(data.part[i].content_type); + if (data.part[i].content) + ogs_free(data.part[i].content); + + if (data.header_field) + ogs_free(data.header_field); + + if (http->part[http->num_of_part].pkbuf) + ogs_pkbuf_free(http->part[http->num_of_part].pkbuf); + return OGS_ERROR; }