- Store the realloc result in a separate pointer so that we can free
the original on allocation failure
- Use an explicit uint8_t for the argument vector length instead of
"char" which might be signed or unsigned, depending on the arch
- Bail out with an invalid argument error if the argument vector
exceeds 255 items
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
#include <fcntl.h>
#include <errno.h>
#include <unistd.h>
+#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include <limits.h>
rpc_file_md5(struct ubus_context *ctx, struct ubus_object *obj,
struct ubus_request_data *req, const char *method,
struct blob_attr *msg)
-{
+{
int rv, i;
char *path;
struct stat s;
int rem;
struct blob_attr *cur;
- char arglen;
- char **args;
+ uint8_t arglen;
+ char **args, **tmp;
struct rpc_file_exec_context *c;
if (blobmsg_type(cur) != BLOBMSG_TYPE_STRING)
continue;
+ if (arglen == 255)
+ {
+ free(args);
+ return UBUS_STATUS_INVALID_ARGUMENT;
+ }
+
arglen++;
+ tmp = realloc(args, sizeof(char *) * arglen);
- if (!(args = realloc(args, sizeof(char *) * arglen)))
+ if (!tmp)
+ {
+ free(args);
return UBUS_STATUS_UNKNOWN_ERROR;
+ }
+ args = tmp;
args[arglen-2] = blobmsg_data(cur);
args[arglen-1] = NULL;
}