[parted-devel] BUG: ped_exception_throw() can go to endless loop allocating memory
Petr Uzel
petr.uzel at suse.cz
Wed Nov 26 10:48:18 UTC 2008
On Wed, Nov 26, 2008 at 10:42:33AM +0100, Petr Uzel wrote:
> Hi list!
>
> 1 PedExceptionOption
> 2 ped_exception_throw (PedExceptionType ex_type,
> 3 PedExceptionOption ex_opts, const char* message, ...)
> 4 {
> 5 va_list arg_list;
> 6 int result;
> 7 static int size = 1000;
>
> 8 if (ex)
> 9 ped_exception_catch ();
>
> 10 ex = (PedException*) malloc (sizeof (PedException));
> 11 if (!ex)
> 12 goto no_memory;
>
> 13 ex->type = ex_type;
> 14 ex->options = ex_opts;
>
> 15 while (message) {
> 16 ex->message = (char*) malloc (size * sizeof (char));
> 17 if (!ex->message)
> 18 goto no_memory;
>
> 19 va_start (arg_list, message);
> 20 result = vsnprintf (ex->message, size, message, arg_list);
> 21 va_end (arg_list);
>
> 22 if (result > -1 && result < size)
> 23 break;
>
> 24 size += 10;
> 25 free (ex->message);
> 26 }
>
> 27 return do_throw ();
>
> If this function gets NULL in 'message' parameter, it will go into
> endless loop allocating memory because vsnprintf() on line 20 will
> keep returning -1 and thus the condition on line 22 will never be
> true.
>
> There is at least one place where ped_exception_throw() is called with
> NULL : libparted/labels/dasd.c:243 [*]
>
> I suggest to:
> a) PED_ASSERT(message != NULL) somewhere in ped_exception_throw()
> b) change the condition on line 22 to be just 'if (result < size)',
> because when vsnprintf() once returned -1, it will probably keep
> returning the same even with larger buffer.
If the condition is changed, there should probably be added something
like
if (result == -1) return (PED_EXCEPTION_UNHANDLED)
> c) fix [*] to something more appropriate, such as:
>
> ped_exception_throw(PED_EXCEPTION_ERROR, PED_EXCEPTION_OK,
> _("%s is corrupted"),
> dev->path);
Or maybe remove the ped_exception_call() completely from this place
and simply return 0 ?
--
Best regards / s pozdravem
Petr Uzel, Packages maintainer
---------------------------------------------------------------------
SUSE LINUX, s.r.o. e-mail: puzel at suse.cz
Lihovarská 1060/12 tel: +420 284 028 964
190 00 Prague 9 fax: +420 284 028 951
Czech Republic http://www.suse.cz
More information about the parted-devel
mailing list