Menu
▾
▴
CVS: The file 'apps/bluetooth/sdp_server/sdp_server.c' has been modified.
|
From: Peter K. <pk...@us...> - 2001-03-27 18:12:49
|
The following file was modified in apps/bluetooth/sdp_server:
Name Old version New version Comment
---- ----------- ----------- -------
sdp_server.c 1.25 1.26=20=20=20=20=20=20=20=20=20=20=20=20
The accompanying log:
* Handle failed memory allocations.
* Fixed a couple of memory leaks.
* Fixed too small allocations in get_start().
The diff of the modified file(s):
--- sdp_server.c 2001/03/26 16:06:45 1.25
+++ sdp_server.c 2001/03/27 18:12:47 1.26
@@ -204,6 +204,12 @@
return tmp;
}
=20
+int
+is_err(void)
+{
+ return parse_err !=3D 0;
+}
+
void
start_xml_parser(XML_Parser p, int fd)
{
@@ -238,6 +244,11 @@
fprintf(stderr, "len:%d\n",len);
break;
}
+
+ if (is_err())
+ {
+ break;
+ }
} while (len);
}
=20
@@ -464,6 +475,12 @@
s_hdl->hdl_list_max +=3D 16;
tmp =3D realloc(s_hdl->hdl_list, s_hdl->hdl_list_max * sizeof *s_h=
dl->hdl_list);
D_MEM("---> realloc%d %ld bytes at 0x%8p", malloc_dbg++, s_hdl->hd=
l_list_max * sizeof *s_hdl->hdl_list, tmp);
+ if (!tmp)
+ {
+ set_err(SDP_INSUFFICIENT_RESOURCES);
+ s_hdl->hdl_list_max -=3D 16;
+ return;
+ }
=20
s_hdl->hdl_list =3D tmp;
}
@@ -510,6 +527,13 @@
s_hdl.hdl_list_max =3D 16;
s_hdl.hdl_list =3D malloc(s_hdl.hdl_list_max * sizeof *s_hdl.hdl_list);
D_MEM("---> malloc%d %ld bytes at 0x%8p", malloc_dbg++, s_hdl.hdl_list_m=
ax * sizeof *s_hdl.hdl_list, s_hdl.hdl_list);
+ if (!s_hdl.hdl_list)
+ {
+ set_err(SDP_INSUFFICIENT_RESOURCES);
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, s_hdl.uuid);
+ free(s_hdl.uuid);
+ return NULL;
+ }
=20
p =3D XML_ParserCreate(NULL);
XML_SetElementHandler(p, get_more_rec_hdl_start, get_more_rec_hdl_end);
@@ -519,15 +543,33 @@
start_xml_parser(p, fd);
XML_ParserFree(p);
=20
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, s_hdl.uuid);
+ free(s_hdl.uuid);
+
+ if (is_err())
+ {
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, s_hdl.hdl_list);
+ free(s_hdl.hdl_list);
+ return NULL;
+ }
+
if (s_hdl.hdl_list_len >=3D s_hdl.hdl_list_max)
{
- s_hdl.hdl_list_max =3D s_hdl.hdl_list_len + 1;
+ s_hdl.hdl_list_max++;
=20
tmp =3D realloc(s_hdl.hdl_list, s_hdl.hdl_list_max * sizeof *s_hdl.hdl=
_list);
D_MEM("---> realloc%d %ld bytes at 0x%8p", malloc_dbg++, s_hdl.hdl_lis=
t_max * sizeof *s_hdl.hdl_list, tmp);
+ if (!tmp)
+ {
+ set_err(SDP_INSUFFICIENT_RESOURCES);
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, s_hdl.hdl_list);
+ free(s_hdl.hdl_list);
+ return NULL;
+ }
=20
s_hdl.hdl_list =3D tmp;
}
+
s_hdl.hdl_list[s_hdl.hdl_list_len++] =3D NO_REC_HDL;
=20
return s_hdl.hdl_list;
@@ -544,6 +586,11 @@
/* FIXME: But for now 256 bytes will do */
return_sequence =3D malloc(256);
D_MEM("---> malloc%d %d bytes at 0x%8p", malloc_dbg++, 256, return_seque=
nce);
+ if (!return_sequence)
+ {
+ set_err(SDP_INSUFFICIENT_RESOURCES);
+ return NULL;
+ }
=20
D_ATTR("A range of attributes was requested 0x%04x - 0x%04x",
(attr_id_code >> 16), (attr_id_code & 0xffff));
@@ -551,6 +598,13 @@
/* Lists all attributes registerd in the database */
attr_lst =3D get_all_attributes(fd);
=20=20=20
+ if (!attr_lst)
+ {
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, return_sequence);
+ free(return_sequence);
+ return NULL;
+ }
+=20=20
return_sequence[pos++] =3D DES_HDR;
return_sequence[pos++] =3D 0;
=20=20=20
@@ -576,6 +630,12 @@
D_MEM("<--- free%d 0x%8p", --malloc_dbg, tmp_ptr);
free(tmp_ptr);
}
+ else if (is_err())
+ {
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, return_sequence);
+ free(return_sequence);
+ return NULL;
+ }
i++;
}
=20=20=20
@@ -587,6 +647,7 @@
=20=20=20
if (return_sequence[1] =3D=3D 0)
{
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, return_sequence);
free(return_sequence);
return NULL;
}
@@ -667,10 +728,26 @@
start_xml_parser(p, fd);
XML_ParserFree(p);
=20
+ if (is_err())
+ {
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, search_struct.attribute_name);
+ free(search_struct.attribute_name);
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, search_struct.service_class);
+ free(search_struct.service_class);
+
+ return NULL;
+ }
+
if (search_struct.attrlist_index =3D=3D 0)
{
D_ATTR("Didn't find the attribute values for the attribute %s",
search_struct.attribute_name);
+
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, search_struct.attribute_name);
+ free(search_struct.attribute_name);
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, search_struct.service_class);
+ free(search_struct.service_class);
+
return NULL;
}
=20=20=20
@@ -679,7 +756,17 @@
=20
return_sequence =3D malloc(len + 2);
D_MEM("---> malloc%d %d bytes at 0x%8p", malloc_dbg++, len + 2, return_s=
equence);
+ if (!return_sequence)
+ {
+ set_err(SDP_INSUFFICIENT_RESOURCES);
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, search_struct.attribute_name);
+ free(search_struct.attribute_name);
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, search_struct.service_class);
+ free(search_struct.service_class);
=20=20=20
+ return NULL;
+ }
+=20=20
return_sequence[0] =3D 0x35;
return_sequence[1] =3D len;
char2hex(char_tmp, return_sequence + 2);
@@ -907,9 +994,10 @@
{=20=20=20=20
if (set_value !=3D -1)
{
- fprintf(stderr, __FUNCTION__ ": Error more the one attribute =3D=3D =
NULL\n");
+ fprintf(stderr, __FUNCTION__ ": Error more than one attribute =3D=3D=
NULL\n");
return NULL;
}
+
S_FNC("Looking for attribute");
set_value =3D ATTR;
}
@@ -918,9 +1006,10 @@
{
if (set_value !=3D -1)
{
- fprintf(stderr, __FUNCTION__ ": Error more the one attribute =3D=3D =
NULL\n");
+ fprintf(stderr, __FUNCTION__ ": Error more than one attribute =3D=3D=
NULL\n");
return NULL;
}
+
S_FNC("Looking for value");
set_value =3D VAL;
}
@@ -932,16 +1021,15 @@
{
case TAG:
return search_hdl.search_name;
- break;
+
case ATTR:
return search_hdl.search_attr;
- break;
+
case VAL:
return search_hdl.search_val;
- break;
+
default:
return NULL;
- break;
}
=20=20=20
#undef TAG
@@ -967,10 +1055,13 @@
if (strcmp(attr[i + 1], search_hdl->search_val) =3D=3D 0)
{
S_FNC("Found %s", attr[i]);
- m_size =3D strlen(attr[i] + 1);
+ m_size =3D strlen(attr[i]) + 1;
search_hdl->search_attr =3D malloc(m_size);
D_MEM("---> malloc%d %d bytes at 0x%8p", malloc_dbg++, m_size, s=
earch_hdl->search_attr);
+ if (search_hdl->search_attr)
+ {
strcpy(search_hdl->search_attr, attr[i]);
+ }
return;
}
}
@@ -986,10 +1077,13 @@
if (strcmp(attr[i], search_hdl->search_attr) =3D=3D 0)
{
S_FNC("Found %s", attr[i + 1]);
- m_size =3D strlen(attr[i + 1] + 1);
+ m_size =3D strlen(attr[i + 1]) + 1;
search_hdl->search_val =3D malloc(m_size);
D_MEM("---> malloc%d %d bytes at 0x%8p", malloc_dbg++, m_size, s=
earch_hdl->search_val);
+ if (search_hdl->search_val)
+ {
strcpy(search_hdl->search_val, attr[i + 1]);
+ }
return;
}
}
@@ -1005,7 +1099,10 @@
m_size =3D strlen(el) + 1;
search_hdl->search_name =3D malloc(m_size);
D_MEM("---> malloc%d %d bytes at 0x%8p", malloc_dbg++, m_size, sea=
rch_hdl->search_name);
+ if (search_hdl->search_name)
+ {
strcpy(search_hdl->search_name, el);
+ }
return;
}
}
@@ -1039,18 +1136,13 @@
=20
attr_lst =3D (unsigned int*)search_hdl.search_val;
=20
- for (i =3D 1; i <=3D attr_lst[0]; i++)
- {
- D_ATTR("Before free Attribute %d: 0x%04x", i , attr_lst[i]);
- }
-
XML_ParserFree(p);
=20=20=20
/* If we didn't find the service class we return here */
- if (search_hdl.search_val =3D=3D NULL)
+ if (!attr_lst)
{
D_ATTR("Didn't find anything");
- return 0;
+ return NULL;
}
=20
for (i =3D 1; i <=3D attr_lst[0]; i++)
@@ -1070,6 +1162,8 @@
=20=20=20
if (strncmp(el, search_hdl->search_name, strlen(search_hdl->search_name)=
) =3D=3D0)
{
+ unsigned int *attributes;
+
S_FNC("Found %s", el);
attr_cnt =3D XML_GetSpecifiedAttributeCount((XML_Parser*) data);
/* Since attr_cnt is the count of both the attibutes and the attribute
@@ -1079,15 +1173,23 @@
S_FNC("%d attributes found", attr_cnt);
/* Allocate space for all the attribute UUIDs plus the attribute count
in the search_output pointer, */
- m_size =3D attr_cnt * 4 + 4;
+ m_size =3D (attr_cnt + 1) * sizeof *attributes;
search_hdl->search_val =3D malloc(m_size);
- D_MEM("---> malloc%d %d bytes at 0x%8p", malloc_dbg++, m_size, search_=
hdl->search_val);
- memcpy(search_hdl->search_val, &attr_cnt, 4);
+ attributes =3D (unsigned int *)search_hdl->search_val;
+ D_MEM("---> malloc%d %d bytes at 0x%8p", malloc_dbg++, m_size, attribu=
tes);
+
+ if (!attributes)
+ {
+ set_err(SDP_INSUFFICIENT_RESOURCES);
+ return;
+ }
+
+ *attributes++ =3D (unsigned int)attr_cnt;
for (i =3D 0; attr[i]; i +=3D 2)
{
unsigned int tmp =3D strtoul(attr[i + 1], NULL, 16);=20
=20
- memcpy(search_hdl->search_val + 4 +(i * 2), &tmp ,4);
+ *attributes++ =3D tmp;
S_FNC("Attribute %d found", tmp);
}=20
}
@@ -1148,6 +1250,8 @@
=20=20=20
rec_hdl =3D get_record_handle(db_hdl->service_class_list[0], xml_fd);
=20
+ D_REC("Got Record handle: 0x%08x", rec_hdl);
+
if (rec_hdl !=3D NO_REC_HDL)
{
rec_hdl_cnt++;
@@ -1155,11 +1259,17 @@
=20
rec_hdl_list =3D get_more_rec_hdl(db_hdl->service_class_list[0], xml_fd);
=20=20=20
- D_REC("Got Record handle: 0x%08x", rec_hdl);
+ if (is_err())
+ {
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, rec_hdl_list);
+ free(rec_hdl_list);
+ send_error_rsp(db_hdl->db.sdp_con_id, db_hdl->db.trans_id, get_err());
+ return;
+ }
+=20=20
if (rec_hdl_list)
{
- i =3D 0;
- while (rec_hdl_list[i] !=3D NO_REC_HDL)
+ for (i =3D 0; rec_hdl_list[i] !=3D NO_REC_HDL; i++)
{
D_REC("Got Record handle: 0x%08x", rec_hdl_list[i]);
if (rec_hdl =3D=3D rec_hdl_list[i])
@@ -1167,7 +1277,6 @@
rec_hdl_cnt--;
rec_hdl =3D NO_REC_HDL;
}
- i++;
}
rec_hdl_cnt +=3D i;
}
@@ -1208,6 +1317,12 @@
=20
rsp_pkt_len =3D set_cont_state_search(rsp_pkt, rsp_pkt_len, db_hdl->max_=
rec_cnt);
=20
+ if (is_err())
+ {
+ send_error_rsp(db_hdl->db.sdp_con_id, db_hdl->db.trans_id, get_err());
+ return;
+ }
+=20=20
write2stack(db_hdl->db.sdp_con_id, rsp_pkt, rsp_pkt_len);=20
}
=20
@@ -1235,6 +1350,7 @@
{
tmp_ptr =3D get_attribute_list(xml_fd, db_hdl->rec_hdl, db_hdl->attr=
_list[i]);
}
+
if (tmp_ptr)
{
memcpy(rsp_pkt + rsp_pkt_len, tmp_ptr + 2, tmp_ptr[1]);
@@ -1243,17 +1359,12 @@
D_MEM("<--- free %d 0x%8p", --malloc_dbg, tmp_ptr);
free(tmp_ptr);
}
- else
- {
- int err =3D get_err();
-
- if (err)
+ else if (is_err())
{
- send_error_rsp(db_hdl->db.sdp_con_id, db_hdl->db.trans_id, err);
+ send_error_rsp(db_hdl->db.sdp_con_id, db_hdl->db.trans_id, get_err()=
);
return;
}
}
- }
=20
/* Set the attribute byte count to packet length minus sdp pdu header si=
ze
minus attribute byte count field length, minus continuation field len=
gth*/
@@ -1269,6 +1380,12 @@
=20
rsp_pkt_len =3D set_cont_state_attr(rsp_pkt, rsp_pkt_len,db_hdl->max_att=
r_byte_cnt);
=20
+ if (is_err())
+ {
+ send_error_rsp(db_hdl->db.sdp_con_id, db_hdl->db.trans_id, get_err());
+ return;
+ }
+=20=20
write2stack(db_hdl->db.sdp_con_id, rsp_pkt, rsp_pkt_len);=20
}
=20
@@ -1288,6 +1405,14 @@
=20=20=20
rec_hdl_list =3D get_more_rec_hdl(db_hdl->service_class_list[0], xml_fd);
=20=20=20
+ if (is_err())
+ {
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, rec_hdl_list);
+ free(rec_hdl_list);
+ send_error_rsp(db_hdl->db.sdp_con_id, db_hdl->db.trans_id, get_err());
+ return;
+ }
+=20=20
rec_hdl_cnt =3D 0;
if (rec_hdl_list)
{
@@ -1314,6 +1439,9 @@
rsp_pkt_len +=3D 2;
=20
if (!rec_hdl_cnt) {
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, rec_hdl_list);
+ free(rec_hdl_list);
+
rec_hdl_cnt =3D 1;
rec_hdl_list =3D &rec_hdl;
}
@@ -1342,6 +1470,16 @@
D_MEM("<--- free%d tmp_ptr 0x%8p", --malloc_dbg, tmp_ptr);
free(tmp_ptr);
}
+ else if (is_err())
+ {
+ if (rec_hdl_list !=3D &rec_hdl)
+ {
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, rec_hdl_list);
+ free(rec_hdl_list);
+ }
+ send_error_rsp(db_hdl->db.sdp_con_id, db_hdl->db.trans_id, get_err=
());
+ return;
+ }
}
if (tmp_len > 2)=20
{
@@ -1372,6 +1510,12 @@
=20=20=20
rsp_pkt_len =3D set_cont_state_attr(rsp_pkt, rsp_pkt_len,db_hdl->max_att=
r_byte_cnt);
=20=20=20
+ if (is_err())
+ {
+ send_error_rsp(db_hdl->db.sdp_con_id, db_hdl->db.trans_id, get_err());
+ return;
+ }
+=20=20
/* FIXME: Add features to handle continuation state packets */
write2stack(db_hdl->db.sdp_con_id, rsp_pkt, rsp_pkt_len);=20
}
@@ -1405,6 +1549,12 @@
cont_state_buf =3D malloc(sizeof(cont_state_struct) + cnt_len);
D_MEM("---> malloc%d %ld bytes at 0x%8p", malloc_dbg++, sizeof(cont_st=
ate_struct) + cnt_len, cont_state_buf);
=20
+ if (!cont_state_buf)
+ {
+ set_err(SDP_INSUFFICIENT_RESOURCES);
+ return 0;
+ }
+=20=20=20=20
cont_state_buf->pdu =3D pkt[SDP_HDR_TYPE];
D_MISC("PDU: 0x%02x", cont_state_buf->pdu);
=20=20=20=20=20
@@ -1456,6 +1606,12 @@
cont_state_buf =3D malloc(sizeof(cont_state_struct) + cont_len);
D_MEM("---> malloc%d %ld bytes at 0x%8p", malloc_dbg++, sizeof(cont_st=
ate_struct) + cont_len , cont_state_buf);
=20
+ if (!cont_state_buf)
+ {
+ set_err(SDP_INSUFFICIENT_RESOURCES);
+ return 0;
+ }
+=20=20=20=20
cont_state_buf->pdu =3D pkt[SDP_HDR_TYPE];
D_MISC("PDU: 0x%02x", cont_state_buf->pdu);
=20
@@ -1501,6 +1657,11 @@
=20
send_buf =3D malloc(send_len);
D_MEM("---> malloc%d %d bytes at 0x%8p", malloc_dbg++, send_len, send_=
buf);
+ if (!send_buf)
+ {
+ send_error_rsp(sdp_con_id, trans_id, SDP_INSUFFICIENT_RESOURCES);
+ return;
+ }
=20
set_sdp_hdr(send_buf, cont_state_buf->pdu, trans_id, send_len - SDP_HD=
R_SIZE);
=20
@@ -1519,12 +1680,12 @@
/* Send the whole buffer */
write2stack(sdp_con_id, send_buf, send_len);
=20
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, send_buf);
+ free(send_buf);
+
D_MEM("<--- free%d 0x%8p", --malloc_dbg, cont_state_buf);
free(cont_state_buf);
cont_state_buf =3D NULL;
-
- D_MEM("<--- free%d 0x%8p", --malloc_dbg, send_buf);
- free(send_buf);
}
else
{
@@ -1546,9 +1707,7 @@
if (!cont_state_buf) {
send_error_rsp(sdp_con_id, trans_id, SDP_INVALID_CONTINUATION_STATE);
}
- else
- {
- if (max_attr_cnt >=3D cont_state_buf->len)
+ else if (max_attr_cnt >=3D cont_state_buf->len)
{
/* Allocate space for the SDP header, the attribute byte count field,
the attributes and the continuation state field */
@@ -1556,6 +1715,11 @@
=20
send_buf =3D malloc(send_len);
D_MEM("---> malloc%d %d bytes at 0x%8p", malloc_dbg++, send_len, sen=
d_buf);
+ if (!send_buf)
+ {
+ send_error_rsp(sdp_con_id, trans_id, SDP_INSUFFICIENT_RESOURCES);
+ return;
+ }
=20
set_sdp_hdr(send_buf, cont_state_buf->pdu, trans_id, send_len - SDP_=
HDR_SIZE);
=20
@@ -1570,12 +1734,12 @@
/* Send the whole buffer */
write2stack(sdp_con_id, send_buf, send_len);
=20
+ D_MEM("<--- free%d 0x%8p", --malloc_dbg, send_buf);
+ free(send_buf);
+
D_MEM("<--- free%d 0x%8p", --malloc_dbg, cont_state_buf);
free(cont_state_buf);
cont_state_buf =3D NULL;
-
- D_MEM("<--- free%d 0x%8p", --malloc_dbg, send_buf);
- free(send_buf);
}
else
{
@@ -1584,6 +1748,5 @@
/* FIXME: Have to implement this too... */
=20
send_error_rsp(sdp_con_id, trans_id, SDP_INVALID_SDP_VERSION);
- }
}
}
|
