Code Review / common / thrift.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 9bb65ae)
THRIFT-1414 bufferoverflow in c_glib buffered transport/socket client
authorRoger Meier <roger@apache.org>
Wed, 17 Oct 2012 22:05:44 +0000 (22:05 +0000)
committerRoger Meier <roger@apache.org>
Wed, 17 Oct 2012 22:05:44 +0000 (22:05 +0000)
Patch: Christian Zimnick

git-svn-id: https://svn.apache.org/repos/asf/thrift/trunk@1399452 13f79535-47bb-0310-9956-ffa450edef68

lib/c_glib/src/thrift/transport/thrift_buffered_transport.c patch | blob | history
lib/c_glib/src/thrift/transport/thrift_socket.c patch | blob | history

diff --git a/lib/c_glib/src/thrift/transport/thrift_buffered_transport.c b/lib/c_glib/src/thrift/transport/thrift_buffered_transport.c
index a3d7c21..1193b13 100644 (file)
--- a/lib/c_glib/src/thrift/transport/thrift_buffered_transport.c
+++ b/lib/c_glib/src/thrift/transport/thrift_buffered_transport.c
@@ -71,7 +71,7 @@ thrift_buffered_transport_read_slow (ThriftTransport *transport, gpointer buf,
   ThriftBufferedTransport *t = THRIFT_BUFFERED_TRANSPORT (transport);
   guint32 want = len;
   guint32 got = 0;
-  guchar tmpdata[t->r_buf_size];
+  guchar tmpdata[len];
   guint32 have = t->r_buf->len;
 
   // we shouldn't hit this unless the buffer doesn't have enough to read
@@ -101,7 +101,7 @@ thrift_buffered_transport_read_slow (ThriftTransport *transport, gpointer buf,
   } else {
     got += THRIFT_TRANSPORT_GET_CLASS (t->transport)->read (t->transport,
                                                             tmpdata,
-                                                            t->r_buf_size,
+                                                            want,
                                                             error);
     t->r_buf = g_byte_array_append (t->r_buf, tmpdata, got);
     
diff --git a/lib/c_glib/src/thrift/transport/thrift_socket.c b/lib/c_glib/src/thrift/transport/thrift_socket.c
index 0716baa..6584a93 100644 (file)
--- a/lib/c_glib/src/thrift/transport/thrift_socket.c
+++ b/lib/c_glib/src/thrift/transport/thrift_socket.c
@@ -129,7 +129,7 @@ thrift_socket_read (ThriftTransport *transport, gpointer buf,
 
   while (got < len)
   {
-    ret = recv (socket->sd, buf, len, 0);
+    ret = recv (socket->sd, buf+got, len-got, 0);
     if (ret < 0)
     {
       g_set_error (error, THRIFT_TRANSPORT_ERROR,
Unnamed repository; edit this file 'description' to name the repository.