Crash_Override/OVMS3-idf
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

bugfix: mdns_service_txt_set() wasn't allocating memory for TXT records

Browse source 
Allocation was happening later, causing possible use of stack variables
of caller function, which could be invalid.

Signed-off-by: Piyush Shah <piyush@espressif.com>
This commit is contained in:
Piyush Shah 2018-09-11 16:20:00 +05:30
parent 17ac4bad73
commit e5e2702ca3
2 changed files with 20 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
components/mdns/mdns.c
View file

@ -1756,6 +1756,17 @@ static mdns_txt_linked_item_t * _mdns_allocate_txt(size_t num_items, mdns_txt_it
} }
return new_txt; return new_txt;
} }
static void _mdns_free_linked_txt(mdns_txt_linked_item_t *txt)
{
mdns_txt_linked_item_t *t;
while (txt) {
t = txt;
txt = txt->next;
free((char *)t->value);
free((char *)t->key);
free(t);
}
}
/** /**
* @brief creates/allocates new service * @brief creates/allocates new service
@ -3636,14 +3647,8 @@ static void _mdns_execute_action(mdns_action_t * action)
service = action->data.srv_txt_replace.service->service; service = action->data.srv_txt_replace.service->service;
txt = service->txt; txt = service->txt;
service->txt = NULL; service->txt = NULL;
while (txt) { _mdns_free_linked_txt(txt);
t = txt; service->txt = action->data.srv_txt_replace.txt;
txt = txt->next;
free((char *)t->value);
free((char *)t->key);
free(t);
}
service->txt = _mdns_allocate_txt(action->data.srv_txt_replace.num_items, action->data.srv_txt_replace.txt);
_mdns_announce_all_pcbs(&action->data.srv_txt_replace.service, 1, false); _mdns_announce_all_pcbs(&action->data.srv_txt_replace.service, 1, false);
break; break;
@ -4224,27 +4229,25 @@ esp_err_t mdns_service_txt_set(const char * service, const char * proto, mdns_tx
return ESP_ERR_NOT_FOUND; return ESP_ERR_NOT_FOUND;
} }
mdns_txt_item_t * txt_copy = NULL; mdns_txt_linked_item_t * new_txt = NULL;
if (num_items){ if (num_items){
txt_copy = (mdns_txt_item_t *)malloc(num_items * sizeof(mdns_txt_item_t)); new_txt = _mdns_allocate_txt(num_items, txt);
if (!txt_copy) { if (!new_txt) {
return ESP_ERR_NO_MEM; return ESP_ERR_NO_MEM;
} }
memcpy(txt_copy, txt, num_items * sizeof(mdns_txt_item_t));
} }
mdns_action_t * action = (mdns_action_t *)malloc(sizeof(mdns_action_t)); mdns_action_t * action = (mdns_action_t *)malloc(sizeof(mdns_action_t));
if (!action) { if (!action) {
free(txt_copy); _mdns_free_linked_txt(new_txt);
return ESP_ERR_NO_MEM; return ESP_ERR_NO_MEM;
} }
action->type = ACTION_SERVICE_TXT_REPLACE; action->type = ACTION_SERVICE_TXT_REPLACE;
action->data.srv_txt_replace.service = s; action->data.srv_txt_replace.service = s;
action->data.srv_txt_replace.num_items = num_items; action->data.srv_txt_replace.txt = new_txt;
action->data.srv_txt_replace.txt = txt_copy;
if (xQueueSend(_mdns_server->action_queue, &action, (portTickType)0) != pdPASS) { if (xQueueSend(_mdns_server->action_queue, &action, (portTickType)0) != pdPASS) {
free(txt_copy); _mdns_free_linked_txt(new_txt);
free(action); free(action);
return ESP_ERR_NO_MEM; return ESP_ERR_NO_MEM;
} }

3
components/mdns/private_include/mdns_private.h
View file

@ -364,8 +364,7 @@ typedef struct {
} srv_port; } srv_port;
struct { struct {
mdns_srv_item_t * service; mdns_srv_item_t * service;
uint8_t num_items; mdns_txt_linked_item_t * txt;
mdns_txt_item_t * txt;
} srv_txt_replace; } srv_txt_replace;
struct { struct {
mdns_srv_item_t * service; mdns_srv_item_t * service;