From 6ab4094495c28a56baf64276d1012b38271894c5 Mon Sep 17 00:00:00 2001
From: Guillaume Nault <g.nault@alphalink.fr>
Date: Mon, 25 Mar 2013 12:47:06 +0100
Subject: l2tp: Handle allocation failure in l2tp_session_connect()

Allocate PPP channel name using the string size to be stored and check
for allocation failure. Use two snprintf() and a _malloc() instead of
asprintf() so that allocated memory will be visible by memdebug.

Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
---
 accel-pppd/ctrl/l2tp/l2tp.c | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

(limited to 'accel-pppd/ctrl/l2tp')

diff --git a/accel-pppd/ctrl/l2tp/l2tp.c b/accel-pppd/ctrl/l2tp/l2tp.c
index 8e50ff3..1f270bc 100644
--- a/accel-pppd/ctrl/l2tp/l2tp.c
+++ b/accel-pppd/ctrl/l2tp/l2tp.c
@@ -1151,8 +1151,9 @@ static int l2tp_session_connect(struct l2tp_sess_t *sess)
 	struct l2tp_conn_t *conn = sess->paren_conn;
 	int lns_mode = sess->lns_mode;
 	int flg;
+	int chan_sz;
+	uint16_t peer_port;
 	char addr[17];
-	char chan_name[64];
 
 	sess->ppp.fd = socket(AF_PPPOX, SOCK_DGRAM, PX_PROTO_OL2TP);
 	if (sess->ppp.fd < 0) {
@@ -1201,9 +1202,26 @@ static int l2tp_session_connect(struct l2tp_sess_t *sess)
 	}
 
 	u_inet_ntoa(conn->peer_addr.sin_addr.s_addr, addr);
-	sprintf(chan_name, "%s:%i session %i",
-		addr, ntohs(conn->peer_addr.sin_port), sess->peer_sid);
-	sess->ppp.ses.chan_name = _strdup(chan_name);
+	peer_port = ntohs(conn->peer_addr.sin_port);
+	chan_sz = snprintf(NULL, 0, "%s:%i session %i",
+		       addr, peer_port, sess->peer_sid);
+	if (chan_sz < 0) {
+		log_session(log_error, sess, "impossible to connect session:"
+			    " snprintf() failed: %s\n", strerror(errno));
+		goto out_err;
+	}
+	sess->ppp.ses.chan_name = _malloc(chan_sz);
+	if (sess->ppp.ses.chan_name == NULL) {
+		log_session(log_error, sess, "impossible to connect session:"
+			    " memory allocation failed\n");
+		goto out_err;
+	}
+	if (snprintf(sess->ppp.ses.chan_name, chan_sz, "%s:%i session %i",
+		     addr, peer_port, sess->peer_sid) < 0) {
+		log_session(log_error, sess, "impossible to connect session:"
+			    " snprintf(%i) failed\n", chan_sz);
+		goto out_err;
+	}
 
 	triton_event_fire(EV_CTRL_STARTED, &sess->ppp.ses);
 
@@ -1224,6 +1242,10 @@ static int l2tp_session_connect(struct l2tp_sess_t *sess)
 	return 0;
 
 out_err:
+	if (sess->ppp.ses.chan_name) {
+		_free(sess->ppp.ses.chan_name);
+		sess->ppp.ses.chan_name = NULL;
+	}
 	if (sess->ppp.fd >= 0) {
 		close(sess->ppp.fd);
 		sess->ppp.fd = -1;
-- 
cgit v1.2.3