| From bec6ccec63cadc95655721bc0e1dd49dac759d94 Mon Sep 17 00:00:00 2001 |
| From: Thomas Bernard <miniupnp@free.fr> |
| Date: Tue, 18 Dec 2018 22:37:14 +0100 |
| Subject: [PATCH] upnp_event_prepare(): check the return value of snprintf() |
| |
| --- |
| miniupnpd/upnpevents.c | 37 ++++++++++++++++++++++++++----------- |
| 1 file changed, 26 insertions(+), 11 deletions(-) |
| |
| diff --git a/upnpevents.c b/upnpevents.c |
| index d96bccb..3bc402f 100644 |
| --- a/upnpevents.c |
| +++ b/upnpevents.c |
| @@ -443,19 +443,34 @@ static void upnp_event_prepare(struct upnp_event_notify * obj) |
| l = 0; |
| } |
| obj->buffersize = 1024; |
| - obj->buffer = malloc(obj->buffersize); |
| - if(!obj->buffer) { |
| - syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare"); |
| - if(xml) { |
| - free(xml); |
| + for (;;) { |
| + obj->buffer = malloc(obj->buffersize); |
| + if(!obj->buffer) { |
| + syslog(LOG_ERR, "%s: malloc returned NULL", "upnp_event_prepare"); |
| + if(xml) { |
| + free(xml); |
| + } |
| + obj->state = EError; |
| + return; |
| } |
| - obj->state = EError; |
| - return; |
| + obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg, |
| + obj->path, obj->addrstr, obj->portstr, l+2, |
| + obj->sub->uuid, obj->sub->seq, |
| + l, xml); |
| + if (obj->tosend < 0) { |
| + syslog(LOG_ERR, "%s: snprintf() failed", "upnp_event_prepare"); |
| + if(xml) { |
| + free(xml); |
| + } |
| + obj->state = EError; |
| + return; |
| + } else if (obj->tosend < obj->buffersize) { |
| + break; /* the buffer was large enough */ |
| + } |
| + /* Try again with a buffer big enough */ |
| + free(obj->buffer); |
| + obj->buffersize = obj->tosend + 1; /* reserve space for the final 0 */ |
| } |
| - obj->tosend = snprintf(obj->buffer, obj->buffersize, notifymsg, |
| - obj->path, obj->addrstr, obj->portstr, l+2, |
| - obj->sub->uuid, obj->sub->seq, |
| - l, xml); |
| if(xml) { |
| free(xml); |
| xml = NULL; |
| -- |
| 2.38.0.rc1.362.ged0d419d3c-goog |
| |