SF Bug Tracker id 3497126 - Resource leak in http_RecvPostMessage
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 12:33:59 PST Fp is not closed when an error is raised on membuffer_append or sock_read.
This commit is contained in:
Fabrice Fontaine
parent
eeab71082f
commit
30badb44c7
@ -2,6 +2,15 @@
|
|||||||
Version 1.6.16
|
Version 1.6.16
|
||||||
*******************************************************************************
|
*******************************************************************************
|
||||||
|
|
||||||
|
2012-03-05 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
|
||||||
|
|
||||||
|
SF Bug Tracker id 3497126 - Resource leak in http_RecvPostMessage
|
||||||
|
|
||||||
|
Submitted: Fabrice Fontaine ( ffontaine ) - 2012-03-05 12:33:59 PST
|
||||||
|
|
||||||
|
Fp is not closed when an error is raised on membuffer_append or
|
||||||
|
sock_read.
|
||||||
|
|
||||||
2012-03-05 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
|
2012-03-05 Fabrice Fontaine <fabrice.fontaine(at)orange.com>
|
||||||
|
|
||||||
SF Bug Tracker id 3497034 - Buffer not null terminated in UpnpGetIfInfo
|
SF Bug Tracker id 3497034 - Buffer not null terminated in UpnpGetIfInfo
|
||||||
|
|||||||
@ -1315,7 +1315,7 @@ static int http_RecvPostMessage(
|
|||||||
int ok_on_close = FALSE;
|
int ok_on_close = FALSE;
|
||||||
size_t entity_offset = 0;
|
size_t entity_offset = 0;
|
||||||
int num_read = 0;
|
int num_read = 0;
|
||||||
int ret_code = 0;
|
int ret_code = HTTP_OK;
|
||||||
|
|
||||||
if (Instr && Instr->IsVirtualFile) {
|
if (Instr && Instr->IsVirtualFile) {
|
||||||
Fp = (virtualDirCallback.open) (filename, UPNP_WRITE);
|
Fp = (virtualDirCallback.open) (filename, UPNP_WRITE);
|
||||||
@ -1338,8 +1338,8 @@ static int http_RecvPostMessage(
|
|||||||
&& (status != PARSE_CONTINUE_1)
|
&& (status != PARSE_CONTINUE_1)
|
||||||
&& (status != PARSE_INCOMPLETE)) {
|
&& (status != PARSE_INCOMPLETE)) {
|
||||||
/* error */
|
/* error */
|
||||||
fclose(Fp);
|
ret_code = HTTP_BAD_REQUEST;
|
||||||
return HTTP_BAD_REQUEST;
|
goto ExitFunction;
|
||||||
}
|
}
|
||||||
/* read more if necessary entity */
|
/* read more if necessary entity */
|
||||||
while (entity_offset + Data_Buf_Size > parser->msg.entity.length &&
|
while (entity_offset + Data_Buf_Size > parser->msg.entity.length &&
|
||||||
@ -1347,13 +1347,13 @@ static int http_RecvPostMessage(
|
|||||||
num_read = sock_read(info, Buf, sizeof(Buf), &Timeout);
|
num_read = sock_read(info, Buf, sizeof(Buf), &Timeout);
|
||||||
if (num_read > 0) {
|
if (num_read > 0) {
|
||||||
/* append data to buffer */
|
/* append data to buffer */
|
||||||
ret_code = membuffer_append(&parser->msg.msg,
|
if (membuffer_append(&parser->msg.msg,
|
||||||
Buf, (size_t)num_read);
|
Buf, (size_t)num_read) != 0) {
|
||||||
if (ret_code != 0) {
|
|
||||||
/* set failure status */
|
/* set failure status */
|
||||||
parser->http_error_code =
|
parser->http_error_code =
|
||||||
HTTP_INTERNAL_SERVER_ERROR;
|
HTTP_INTERNAL_SERVER_ERROR;
|
||||||
return HTTP_INTERNAL_SERVER_ERROR;
|
ret_code = HTTP_INTERNAL_SERVER_ERROR;
|
||||||
|
goto ExitFunction;
|
||||||
}
|
}
|
||||||
status = parser_parse_entity(parser);
|
status = parser_parse_entity(parser);
|
||||||
if (status == PARSE_INCOMPLETE_ENTITY) {
|
if (status == PARSE_INCOMPLETE_ENTITY) {
|
||||||
@ -1362,7 +1362,8 @@ static int http_RecvPostMessage(
|
|||||||
} else if ((status != PARSE_SUCCESS)
|
} else if ((status != PARSE_SUCCESS)
|
||||||
&& (status != PARSE_CONTINUE_1)
|
&& (status != PARSE_CONTINUE_1)
|
||||||
&& (status != PARSE_INCOMPLETE)) {
|
&& (status != PARSE_INCOMPLETE)) {
|
||||||
return HTTP_BAD_REQUEST;
|
ret_code = HTTP_BAD_REQUEST;
|
||||||
|
goto ExitFunction;
|
||||||
}
|
}
|
||||||
} else if (num_read == 0) {
|
} else if (num_read == 0) {
|
||||||
if (ok_on_close) {
|
if (ok_on_close) {
|
||||||
@ -1374,10 +1375,12 @@ static int http_RecvPostMessage(
|
|||||||
} else {
|
} else {
|
||||||
/* partial msg or response */
|
/* partial msg or response */
|
||||||
parser->http_error_code = HTTP_BAD_REQUEST;
|
parser->http_error_code = HTTP_BAD_REQUEST;
|
||||||
return HTTP_BAD_REQUEST;
|
ret_code = HTTP_BAD_REQUEST;
|
||||||
|
goto ExitFunction;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
return num_read;
|
ret_code = num_read;
|
||||||
|
goto ExitFunction;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if ((entity_offset + Data_Buf_Size) > parser->msg.entity.length) {
|
if ((entity_offset + Data_Buf_Size) > parser->msg.entity.length) {
|
||||||
@ -1391,25 +1394,26 @@ static int http_RecvPostMessage(
|
|||||||
if (Instr->IsVirtualFile) {
|
if (Instr->IsVirtualFile) {
|
||||||
int n = virtualDirCallback.write(Fp, Buf, Data_Buf_Size);
|
int n = virtualDirCallback.write(Fp, Buf, Data_Buf_Size);
|
||||||
if (n < 0) {
|
if (n < 0) {
|
||||||
virtualDirCallback.close(Fp);
|
ret_code = HTTP_INTERNAL_SERVER_ERROR;
|
||||||
return HTTP_INTERNAL_SERVER_ERROR;
|
goto ExitFunction;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
size_t n = fwrite(Buf, 1, Data_Buf_Size, Fp);
|
size_t n = fwrite(Buf, 1, Data_Buf_Size, Fp);
|
||||||
if (n != Data_Buf_Size) {
|
if (n != Data_Buf_Size) {
|
||||||
fclose(Fp);
|
ret_code = HTTP_INTERNAL_SERVER_ERROR;
|
||||||
return HTTP_INTERNAL_SERVER_ERROR;
|
goto ExitFunction;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
} while (parser->position != POS_COMPLETE ||
|
} while (parser->position != POS_COMPLETE ||
|
||||||
entity_offset != parser->msg.entity.length);
|
entity_offset != parser->msg.entity.length);
|
||||||
if (Instr->IsVirtualFile) {
|
ExitFunction:
|
||||||
|
if (Instr && Instr->IsVirtualFile) {
|
||||||
virtualDirCallback.close(Fp);
|
virtualDirCallback.close(Fp);
|
||||||
} else {
|
} else {
|
||||||
fclose(Fp);
|
fclose(Fp);
|
||||||
}
|
}
|
||||||
|
|
||||||
return HTTP_OK;
|
return ret_code;
|
||||||
}
|
}
|
||||||
|
|
||||||
void web_server_callback(http_parser_t *parser, INOUT http_message_t *req,
|
void web_server_callback(http_parser_t *parser, INOUT http_message_t *req,
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user