- MMS: fixed potential memory leak in asn1 code that can be caused by malformed MMS messages
This commit is contained in:
parent
90d910625b
commit
922dac1a34
5 changed files with 21 additions and 8 deletions
|
@ -33,7 +33,7 @@
|
|||
#undef ADVANCE
|
||||
#define ADVANCE(num_bytes) do { \
|
||||
size_t num = num_bytes; \
|
||||
ptr = ((const char *)ptr) + num;\
|
||||
ptr = ((const char *)ptr) + num; \
|
||||
size -= num; \
|
||||
if(ctx->left >= 0) \
|
||||
ctx->left -= num; \
|
||||
|
@ -328,11 +328,12 @@ SEQUENCE_decode_ber(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
|
|||
* or an extension (...),
|
||||
* or an end of the indefinite-length structure.
|
||||
*/
|
||||
if(!IN_EXTENSION_GROUP(specs, edx)) {
|
||||
if(!IN_EXTENSION_GROUP(specs, edx + elements[edx].optional)) {
|
||||
RETURN(RC_FAIL);
|
||||
} else {
|
||||
/* Skip this tag */
|
||||
ssize_t skip;
|
||||
edx += elements[edx].optional;
|
||||
|
||||
skip = ber_skip_length(opt_codec_ctx,
|
||||
BER_TLV_CONSTRUCTED(ptr),
|
||||
|
@ -1135,7 +1136,6 @@ SEQUENCE_encode_uper(asn_TYPE_descriptor_t *td,
|
|||
|
||||
er.encoded = 0;
|
||||
|
||||
ASN_DEBUG("Encoding %s as SEQUENCE (UPER)", td->name);
|
||||
if(specs->ext_before >= 0)
|
||||
_ASN_ENCODE_FAILED; /* We don't encode extensions yet */
|
||||
|
||||
|
|
|
@ -213,6 +213,8 @@ SET_OF_decode_ber(asn_codec_ctx_t *opt_codec_ctx, asn_TYPE_descriptor_t *td,
|
|||
}
|
||||
/* Fall through */
|
||||
case RC_FAIL: /* Fatal error */
|
||||
ASN_STRUCT_FREE(*elm->type, ctx->ptr);
|
||||
ctx->ptr = 0;
|
||||
RETURN(RC_FAIL);
|
||||
} /* switch(rval) */
|
||||
|
||||
|
@ -764,8 +766,10 @@ SET_OF_print(asn_TYPE_descriptor_t *td, const void *sptr, int ilevel,
|
|||
void
|
||||
SET_OF_free(asn_TYPE_descriptor_t *td, void *ptr, int contents_only) {
|
||||
if(td && ptr) {
|
||||
asn_SET_OF_specifics_t *specs;
|
||||
asn_TYPE_member_t *elm = td->elements;
|
||||
asn_anonymous_set_ *list = _A_SET_FROM_VOID(ptr);
|
||||
asn_struct_ctx_t *ctx; /* Decoder context */
|
||||
int i;
|
||||
|
||||
/*
|
||||
|
@ -781,6 +785,13 @@ SET_OF_free(asn_TYPE_descriptor_t *td, void *ptr, int contents_only) {
|
|||
|
||||
asn_set_empty(list); /* Remove (list->array) */
|
||||
|
||||
specs = (asn_SET_OF_specifics_t *)td->specifics;
|
||||
ctx = (asn_struct_ctx_t *)((char *)ptr + specs->ctx_offset);
|
||||
if(ctx->ptr) {
|
||||
ASN_STRUCT_FREE(*elm->type, ctx->ptr);
|
||||
ctx->ptr = 0;
|
||||
}
|
||||
|
||||
if(!contents_only) {
|
||||
FREEMEM(ptr);
|
||||
}
|
||||
|
|
|
@ -233,9 +233,10 @@ mmsServer_handleDeleteNamedVariableListRequest(MmsServerConnection connection,
|
|||
mmsMsg_createServiceErrorPdu(invokeId, response, MMS_ERROR_ACCESS_OBJECT_ACCESS_UNSUPPORTED);
|
||||
}
|
||||
|
||||
exit_function:
|
||||
|
||||
asn_DEF_MmsPdu.free_struct(&asn_DEF_MmsPdu, mmsPdu, 0);
|
||||
|
||||
exit_function:
|
||||
return;
|
||||
}
|
||||
|
||||
|
@ -420,7 +421,7 @@ mmsServer_handleDefineNamedVariableListRequest(
|
|||
|
||||
if (rval.code != RC_OK) {
|
||||
mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
|
||||
goto exit_function;
|
||||
goto exit_free_struct;
|
||||
}
|
||||
|
||||
request = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.defineNamedVariableList);
|
||||
|
@ -666,7 +667,7 @@ mmsServer_handleGetNamedVariableListAttributesRequest(
|
|||
|
||||
if (rval.code != RC_OK) {
|
||||
mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
|
||||
return;
|
||||
goto exit_function;
|
||||
}
|
||||
|
||||
if (request->present == ObjectName_PR_domainspecific) {
|
||||
|
|
|
@ -747,7 +747,7 @@ mmsServer_handleReadRequest(
|
|||
|
||||
if (rval.code != RC_OK) {
|
||||
mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
|
||||
return;
|
||||
goto exit_function;
|
||||
}
|
||||
|
||||
request = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.read);
|
||||
|
@ -764,6 +764,7 @@ mmsServer_handleReadRequest(
|
|||
mmsMsg_createServiceErrorPdu(invokeId, response, MMS_ERROR_ACCESS_OBJECT_ACCESS_UNSUPPORTED);
|
||||
}
|
||||
|
||||
exit_function:
|
||||
asn_DEF_MmsPdu.free_struct(&asn_DEF_MmsPdu, mmsPdu, 0);
|
||||
}
|
||||
|
||||
|
|
|
@ -481,7 +481,7 @@ mmsServer_handleWriteRequest(
|
|||
|
||||
if (rval.code != RC_OK) {
|
||||
mmsMsg_createMmsRejectPdu(&invokeId, MMS_ERROR_REJECT_INVALID_PDU, response);
|
||||
return;
|
||||
goto exit_function;
|
||||
}
|
||||
|
||||
WriteRequest_t* writeRequest = &(mmsPdu->choice.confirmedRequestPdu.confirmedServiceRequest.choice.write);
|
||||
|
|
Loading…
Add table
Reference in a new issue