Fix memory leak, tainted int, uninitialized value

author Hyunho Kang <hhstark.kang@samsung.com>

Fri, 9 Sep 2016 01:58:14 +0000 (10:58 +0900)

committer Hyunho Kang <hhstark.kang@samsung.com>

Fri, 9 Sep 2016 01:59:23 +0000 (10:59 +0900)
author Hyunho Kang <hhstark.kang@samsung.com>
Fri, 9 Sep 2016 01:58:14 +0000 (10:58 +0900)
committer Hyunho Kang <hhstark.kang@samsung.com>
Fri, 9 Sep 2016 01:59:23 +0000 (10:59 +0900)
diff --git a/src/data-control-internal.c b/src/data-control-internal.c

index 1d7e1aa..fbecd5c 100755 (executable)
--- a/src/data-control-internal.c
+++ b/src/data-control-internal.c
@@ -200,10 +200,21 @@ int _recv_bulk_process(int fd, data_control_bulk_result_data_h *result_data_h)
                         goto out;
                 }
                 LOGI("##### encode_datalen : %d", encode_datalen);
+               if (encode_datalen <= 0 || encode_datalen >= MAX_REQUEST_ARGUMENT_SIZE) {
+                       retval = DATACONTROL_ERROR_IO_ERROR;
+                       LOGE("Invalid encode_datalen %d", encode_datalen);
+                       goto out;
+               }
                 encode_data = (char *)calloc(encode_datalen, sizeof(char));
+               if (encode_data == NULL) {
+                       retval = DATACONTROL_ERROR_IO_ERROR;
+                       LOGE("FAIL to alloc encode data");
+                       goto out;
+               }
                 if (_read_socket(fd, encode_data, encode_datalen, &nb) != DATACONTROL_ERROR_NONE) {
                         retval = DATACONTROL_ERROR_IO_ERROR;
                         LOGE("read socket fail: encode_data");
+                       free(encode_data);
                         goto out;
                 }
                 result_data = bundle_decode_raw((bundle_raw *)encode_data, encode_datalen);
diff --git a/src/data-control-map.c b/src/data-control-map.c

index 55ef37d..1552bd2 100755 (executable)
--- a/src/data-control-map.c
+++ b/src/data-control-map.c
@@ -891,7 +891,7 @@ int datacontrol_map_set(datacontrol_h provider, const char *key, const char *old
  
  int datacontrol_map_add_bulk_data(datacontrol_h provider, data_control_bulk_data_h bulk_data_h, int *request_id)
  {
-       long long arg_size;
+       long long arg_size = 0;
         bundle *b;
         bundle *data;
         const char *arg_list[3];
diff --git a/src/data-control-sql.c b/src/data-control-sql.c

index b4dfbad..781e5e0 100755 (executable)
--- a/src/data-control-sql.c
+++ b/src/data-control-sql.c
@@ -325,10 +325,21 @@ static int __recv_sql_bulk_insert_process(int fd, data_control_bulk_result_data_
                         goto out;
                 }
                 LOGI("##### encode_datalen : %d", encode_datalen);
+               if (encode_datalen <= 0 || encode_datalen >= MAX_REQUEST_ARGUMENT_SIZE) {
+                       retval = DATACONTROL_ERROR_IO_ERROR;
+                       LOGE("Invalid encode_datalen %d", encode_datalen);
+                       goto out;
+               }
                 encode_data = (char *)calloc(encode_datalen, sizeof(char));
+               if (encode_data == NULL) {
+                       retval = DATACONTROL_ERROR_IO_ERROR;
+                       LOGE("FAIL to alloc encode data");
+                       goto out;
+               }
                 if (_read_socket(fd, encode_data, encode_datalen, &nb) != DATACONTROL_ERROR_NONE) {
                         retval = DATACONTROL_ERROR_IO_ERROR;
                         LOGE("read socket fail: encode_data");
+                       free(encode_data);
                         goto out;
                 }
                 result_data = bundle_decode_raw((bundle_raw *)encode_data, encode_datalen);
author	Hyunho Kang <hhstark.kang@samsung.com>
	Fri, 9 Sep 2016 01:58:14 +0000 (10:58 +0900)
committer	Hyunho Kang <hhstark.kang@samsung.com>
	Fri, 9 Sep 2016 01:59:23 +0000 (10:59 +0900)
src/data-control-internal.c		patch \| blob \| history
src/data-control-map.c		patch \| blob \| history
src/data-control-sql.c		patch \| blob \| history