From 52b74144eeedc29427a6b2035af6038134a0f983 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Wed, 30 Apr 2014 22:40:43 +0900 Subject: [PATCH] Fix 0 size malloc, part 2 --- lib/nghttp2_frame.c | 35 +++++++++++++++++++++++++++++++---- lib/nghttp2_helper.c | 8 +++++++- lib/nghttp2_session.c | 25 ++++++++++++++++--------- 3 files changed, 54 insertions(+), 14 deletions(-) diff --git a/lib/nghttp2_frame.c b/lib/nghttp2_frame.c index 3aa4c145..43923bc3 100644 --- a/lib/nghttp2_frame.c +++ b/lib/nghttp2_frame.c @@ -515,11 +515,18 @@ int nghttp2_frame_unpack_settings_payload(nghttp2_settings *frame, { size_t payloadlen = niv * sizeof(nghttp2_settings_entry); - frame->iv = malloc(payloadlen); - if(frame->iv == NULL) { - return NGHTTP2_ERR_NOMEM; + if(niv == 0) { + frame->iv = NULL; + } else { + frame->iv = malloc(payloadlen); + + if(frame->iv == NULL) { + return NGHTTP2_ERR_NOMEM; + } + + memcpy(frame->iv, iv, payloadlen); } - memcpy(frame->iv, iv, payloadlen); + frame->niv = niv; return 0; } @@ -537,15 +544,27 @@ int nghttp2_frame_unpack_settings_payload2(nghttp2_settings_entry **iv_ptr, size_t payloadlen) { size_t i; + *niv_ptr = payloadlen / NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH; + + if(*niv_ptr == 0) { + *iv_ptr = NULL; + + return 0; + } + + *iv_ptr = malloc((*niv_ptr)*sizeof(nghttp2_settings_entry)); + if(*iv_ptr == NULL) { return NGHTTP2_ERR_NOMEM; } + for(i = 0; i < *niv_ptr; ++i) { size_t off = i * NGHTTP2_FRAME_SETTINGS_ENTRY_LENGTH; nghttp2_frame_unpack_settings_entry(&(*iv_ptr)[i], &payload[off]); } + return 0; } @@ -829,11 +848,19 @@ nghttp2_settings_entry* nghttp2_frame_iv_copy(const nghttp2_settings_entry *iv, { nghttp2_settings_entry *iv_copy; size_t len = niv*sizeof(nghttp2_settings_entry); + + if(len == 0) { + return NULL; + } + iv_copy = malloc(len); + if(iv_copy == NULL) { return NULL; } + memcpy(iv_copy, iv, len); + return iv_copy; } diff --git a/lib/nghttp2_helper.c b/lib/nghttp2_helper.c index 3ac011be..ed177336 100644 --- a/lib/nghttp2_helper.c +++ b/lib/nghttp2_helper.c @@ -74,7 +74,13 @@ int nghttp2_reserve_buffer(uint8_t **buf_ptr, size_t *buflen_ptr, void* nghttp2_memdup(const void* src, size_t n) { - void* dest = malloc(n); + void* dest; + + if(n == 0) { + return NULL; + } + + dest = malloc(n); if(dest == NULL) { return NULL; } diff --git a/lib/nghttp2_session.c b/lib/nghttp2_session.c index d4a2403c..0e7eeb24 100644 --- a/lib/nghttp2_session.c +++ b/lib/nghttp2_session.c @@ -4814,14 +4814,16 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, varlen = iframe->frame.hd.length - 8; - iframe->raw_lbuf = malloc(varlen); + if(varlen > 0) { + iframe->raw_lbuf = malloc(varlen); - if(iframe->raw_lbuf == NULL) { - return NGHTTP2_ERR_NOMEM; + if(iframe->raw_lbuf == NULL) { + return NGHTTP2_ERR_NOMEM; + } + + nghttp2_buf_wrap_init(&iframe->lbuf, iframe->raw_lbuf, varlen); } - nghttp2_buf_wrap_init(&iframe->lbuf, iframe->raw_lbuf, varlen); - busy = 1; iframe->state = NGHTTP2_IB_READ_ALTSVC; @@ -5528,10 +5530,15 @@ int nghttp2_session_add_settings(nghttp2_session *session, uint8_t flags, if(frame == NULL) { return NGHTTP2_ERR_NOMEM; } - iv_copy = nghttp2_frame_iv_copy(iv, niv); - if(iv_copy == NULL) { - free(frame); - return NGHTTP2_ERR_NOMEM; + + if(niv > 0) { + iv_copy = nghttp2_frame_iv_copy(iv, niv); + if(iv_copy == NULL) { + free(frame); + return NGHTTP2_ERR_NOMEM; + } + } else { + iv_copy = NULL; } if((flags & NGHTTP2_FLAG_ACK) == 0) {