From 771ca3cdf187e108444ace60444e611b1cbe2222 Mon Sep 17 00:00:00 2001 From: Roger Meier Date: Wed, 17 Oct 2012 22:05:44 +0000 Subject: [PATCH] THRIFT-1414 bufferoverflow in c_glib buffered transport/socket client Patch: Christian Zimnick git-svn-id: https://svn.apache.org/repos/asf/thrift/trunk@1399452 13f79535-47bb-0310-9956-ffa450edef68 --- lib/c_glib/src/thrift/transport/thrift_buffered_transport.c | 4 ++-- lib/c_glib/src/thrift/transport/thrift_socket.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/c_glib/src/thrift/transport/thrift_buffered_transport.c b/lib/c_glib/src/thrift/transport/thrift_buffered_transport.c index a3d7c214..1193b13b 100644 --- a/lib/c_glib/src/thrift/transport/thrift_buffered_transport.c +++ b/lib/c_glib/src/thrift/transport/thrift_buffered_transport.c @@ -71,7 +71,7 @@ thrift_buffered_transport_read_slow (ThriftTransport *transport, gpointer buf, ThriftBufferedTransport *t = THRIFT_BUFFERED_TRANSPORT (transport); guint32 want = len; guint32 got = 0; - guchar tmpdata[t->r_buf_size]; + guchar tmpdata[len]; guint32 have = t->r_buf->len; // we shouldn't hit this unless the buffer doesn't have enough to read @@ -101,7 +101,7 @@ thrift_buffered_transport_read_slow (ThriftTransport *transport, gpointer buf, } else { got += THRIFT_TRANSPORT_GET_CLASS (t->transport)->read (t->transport, tmpdata, - t->r_buf_size, + want, error); t->r_buf = g_byte_array_append (t->r_buf, tmpdata, got); diff --git a/lib/c_glib/src/thrift/transport/thrift_socket.c b/lib/c_glib/src/thrift/transport/thrift_socket.c index 0716baa6..6584a933 100644 --- a/lib/c_glib/src/thrift/transport/thrift_socket.c +++ b/lib/c_glib/src/thrift/transport/thrift_socket.c @@ -129,7 +129,7 @@ thrift_socket_read (ThriftTransport *transport, gpointer buf, while (got < len) { - ret = recv (socket->sd, buf, len, 0); + ret = recv (socket->sd, buf+got, len-got, 0); if (ret < 0) { g_set_error (error, THRIFT_TRANSPORT_ERROR, -- 2.17.1