diff options
author | iphydf <iphydf@users.noreply.github.com> | 2018-01-25 03:13:46 +0000 |
---|---|---|
committer | iphydf <iphydf@users.noreply.github.com> | 2018-01-26 01:30:06 +0000 |
commit | 9c03439ad09f6f23ca634685d5b0b9cac8b03a88 (patch) | |
tree | 6482d50c777dc73745f6c912269394056d01eee6 /testing | |
parent | 2a5941c9f9c355475fc2a75759d1daedbd77ea97 (diff) |
Fix out of bounds read in error case in messenger_test.
Also got rid of two VLAs. They are overused a bit in toxcore. In
irc_syncbot, the array was uninitialised and then filled by a recv system
call. This can cause uninitialised reads if recv doesn't fill the entire
array. It could not cause out of bounds read directly, because a
NUL-terminator was in place, but both cases are undefined behaviour.
Diffstat (limited to 'testing')
-rw-r--r-- | testing/irc_syncbot.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/testing/irc_syncbot.c b/testing/irc_syncbot.c index f122094f..83b86a19 100644 --- a/testing/irc_syncbot.c +++ b/testing/irc_syncbot.c | |||
@@ -300,8 +300,7 @@ int main(int argc, char *argv[]) | |||
300 | if (count > 0) { | 300 | if (count > 0) { |
301 | last_get = get_monotime_sec(); | 301 | last_get = get_monotime_sec(); |
302 | ping_sent = 0; | 302 | ping_sent = 0; |
303 | VLA(uint8_t, data, count + 1); | 303 | uint8_t *data = (uint8_t *)calloc(count + 1, 1); |
304 | data[count] = 0; | ||
305 | recv(sock, data, count, MSG_NOSIGNAL); | 304 | recv(sock, data, count, MSG_NOSIGNAL); |
306 | printf("%s", data); | 305 | printf("%s", data); |
307 | 306 | ||
@@ -345,6 +344,8 @@ int main(int argc, char *argv[]) | |||
345 | p_i = i + 1; | 344 | p_i = i + 1; |
346 | } | 345 | } |
347 | } | 346 | } |
347 | |||
348 | free(data); | ||
348 | } | 349 | } |
349 | 350 | ||
350 | if (connected == 1) { | 351 | if (connected == 1) { |