Skip to content

Commit

Permalink
rpcserver: common: Fix buffer overflow in handle_client
Browse files Browse the repository at this point in the history
  • Loading branch information
@netanelc305
netanelc305 committed Dec 25, 2023
1 parent 3ef01c6 commit fbc34c9
Show file tree
Hide file tree
Showing 3 changed files with 12 additions and 7 deletions.
10 changes: 6 additions & 4 deletions src/rpcserver/common.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,11 +100,13 @@ void safe_free(void **ptr) {
*ptr = NULL;
}

bool receive_message(int sockfd, char *buf, size_t *size) {
bool receive_message(int sockfd, char **buf, size_t *size) {
bool ret = false;
recv(sockfd, size, sizeof(size_t), 0);
CHECK(*size != 0);
CHECK(recvall(sockfd, buf, *size));
CHECK(sizeof(size_t) == recv(sockfd, size, sizeof(size_t), 0));
CHECK(*size > 0);
*buf = (char *) malloc(*size * sizeof(char));
CHECK(NULL != *buf);
CHECK(recvall(sockfd, *buf, *size));
ret = true;
error:
return ret;
Expand Down
2 changes: 1 addition & 1 deletion src/rpcserver/common.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ bool send_message(int sockfd, const uint8_t *buf, size_t len);

bool send_response(int sockfd, ProtobufCMessage *resp);

bool receive_message(int sockfd, char *buf, size_t *size);
bool receive_message(int sockfd, char **buf, size_t *size);

void safe_free(void **ptr);

Expand Down
7 changes: 5 additions & 2 deletions src/rpcserver/rpcserver.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -720,11 +720,13 @@ void handle_client(int sockfd) {

while (true) {
Rpc__Command *cmd;
char *recv_buff = NULL;
message_size = 0;
CHECK(receive_message(sockfd, (char *) &buffer, &message_size))
CHECK(receive_message(sockfd, &recv_buff, &message_size))

TRACE("recv");
cmd = rpc__command__unpack(NULL, message_size, buffer);
cmd = rpc__command__unpack(NULL, message_size, (uint8_t *) recv_buff);
CHECK(cmd != NULL);
TRACE("client fd: %d, cmd type: %d", sockfd, cmd->type_case);
CHECK(cmd->magic == MAGIC);

Expand Down Expand Up @@ -785,6 +787,7 @@ void handle_client(int sockfd) {
}
}
rpc__command__free_unpacked(cmd, NULL);
safe_free((void **) &recv_buff);
}

error:
Expand Down

0 comments on commit fbc34c9

Please sign in to comment.