mdns: fixed crash on free undefined ptr after skipped strdup
Shortcircuit evaluation may cause skip of _mdns_strdup_check of any further question field, which after clear_rx_packet freed undefined memory. Fixes https://ezredmine.espressif.cn:8765/issues/28465
This commit is contained in:
parent
76f0dda3a4
commit
64757c0228
1 changed files with 12 additions and 15 deletions
|
@ -2487,19 +2487,15 @@ handle_error :
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @brief Duplicate string or return error
|
* @brief Duplicate string or return NULL
|
||||||
*/
|
*/
|
||||||
static esp_err_t _mdns_strdup_check(char ** out, char * in)
|
static char * _mdns_strdup_check(const char * in)
|
||||||
{
|
{
|
||||||
if (in && in[0]) {
|
if (in && in[0]) {
|
||||||
*out = strdup(in);
|
return strdup(in);
|
||||||
if (!*out) {
|
} else {
|
||||||
return ESP_FAIL;
|
return NULL;
|
||||||
}
|
}
|
||||||
return ESP_OK;
|
|
||||||
}
|
|
||||||
*out = NULL;
|
|
||||||
return ESP_OK;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -2590,7 +2586,7 @@ void mdns_parse_packet(mdns_rx_packet_t * packet)
|
||||||
parsed_packet->discovery = true;
|
parsed_packet->discovery = true;
|
||||||
mdns_srv_item_t * a = _mdns_server->services;
|
mdns_srv_item_t * a = _mdns_server->services;
|
||||||
while (a) {
|
while (a) {
|
||||||
mdns_parsed_question_t * question = (mdns_parsed_question_t *)malloc(sizeof(mdns_parsed_question_t));
|
mdns_parsed_question_t * question = (mdns_parsed_question_t *)calloc(1, sizeof(mdns_parsed_question_t));
|
||||||
if (!question) {
|
if (!question) {
|
||||||
HOOK_MALLOC_FAILED;
|
HOOK_MALLOC_FAILED;
|
||||||
goto clear_rx_packet;
|
goto clear_rx_packet;
|
||||||
|
@ -2618,7 +2614,7 @@ void mdns_parse_packet(mdns_rx_packet_t * packet)
|
||||||
parsed_packet->probe = true;
|
parsed_packet->probe = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
mdns_parsed_question_t * question = (mdns_parsed_question_t *)malloc(sizeof(mdns_parsed_question_t));
|
mdns_parsed_question_t * question = (mdns_parsed_question_t *)calloc(1, sizeof(mdns_parsed_question_t));
|
||||||
if (!question) {
|
if (!question) {
|
||||||
HOOK_MALLOC_FAILED;
|
HOOK_MALLOC_FAILED;
|
||||||
goto clear_rx_packet;
|
goto clear_rx_packet;
|
||||||
|
@ -2628,10 +2624,11 @@ void mdns_parse_packet(mdns_rx_packet_t * packet)
|
||||||
|
|
||||||
question->unicast = unicast;
|
question->unicast = unicast;
|
||||||
question->type = type;
|
question->type = type;
|
||||||
if (_mdns_strdup_check(&(question->host), name->host)
|
question->host = _mdns_strdup_check(name->host);
|
||||||
|| _mdns_strdup_check(&(question->service), name->service)
|
question->service = _mdns_strdup_check(name->service);
|
||||||
|| _mdns_strdup_check(&(question->proto), name->proto)
|
question->proto = _mdns_strdup_check(name->proto);
|
||||||
|| _mdns_strdup_check(&(question->domain), name->domain)) {
|
question->domain = _mdns_strdup_check(name->domain);
|
||||||
|
if (!question->host || !question->service || !question->proto || !question->domain) {
|
||||||
goto clear_rx_packet;
|
goto clear_rx_packet;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue