diff options
author | Daniel Stenberg <daniel@haxx.se> | 2010-12-27 13:10:48 +0100 |
---|---|---|
committer | Daniel Stenberg <daniel@haxx.se> | 2010-12-27 13:10:48 +0100 |
commit | 366cd6d54dfdf0d487f60333c45e9c7da9327050 (patch) | |
tree | 4b3bf0fd675a37d454a2926c079cd9120cdd5268 /ares_process.c | |
parent | 766a5aaf863e1be1c76edfa1f34f6723717fffb2 (diff) | |
download | c-ares-366cd6d54dfdf0d487f60333c45e9c7da9327050.tar.gz c-ares-366cd6d54dfdf0d487f60333c45e9c7da9327050.tar.bz2 c-ares-366cd6d54dfdf0d487f60333c45e9c7da9327050.zip |
advance_tcp_send_queue: avoid NULL ptr dereference
If given a too large 'num_bytes' value, it would cause a NULL ptr
dereference. Instead the code will now break out of the loop at the end
of the list.
Diffstat (limited to 'ares_process.c')
-rw-r--r-- | ares_process.c | 43 |
1 files changed, 21 insertions, 22 deletions
diff --git a/ares_process.c b/ares_process.c index 7d04eff..ca4c8ee 100644 --- a/ares_process.c +++ b/ares_process.c @@ -300,29 +300,28 @@ static void advance_tcp_send_queue(ares_channel channel, int whichserver, { struct send_request *sendreq; struct server_state *server = &channel->servers[whichserver]; - while (num_bytes > 0) - { - sendreq = server->qhead; - if ((size_t)num_bytes >= sendreq->len) - { - num_bytes -= sendreq->len; - server->qhead = sendreq->next; - if (server->qhead == NULL) - { - SOCK_STATE_CALLBACK(channel, server->tcp_socket, 1, 0); - server->qtail = NULL; - } - if (sendreq->data_storage != NULL) - free(sendreq->data_storage); - free(sendreq); - } - else - { - sendreq->data += num_bytes; - sendreq->len -= num_bytes; - num_bytes = 0; - } + while (num_bytes > 0) { + sendreq = server->qhead; + if ((size_t)num_bytes >= sendreq->len) { + num_bytes -= sendreq->len; + server->qhead = sendreq->next; + if (sendreq->data_storage) + free(sendreq->data_storage); + free(sendreq); + if (server->qhead == NULL) { + SOCK_STATE_CALLBACK(channel, server->tcp_socket, 1, 0); + server->qtail = NULL; + + /* qhead is NULL so we cannot continue this loop */ + break; + } + } + else { + sendreq->data += num_bytes; + sendreq->len -= num_bytes; + num_bytes = 0; } + } } /* If any TCP socket selects true for reading, read some data, |