server: Fix segfault in com_sender().
authorAndre Noll <maan@tuebingen.mpg.de>
Mon, 24 Jul 2017 22:18:50 +0000 (00:18 +0200)
committerAndre Noll <maan@tuebingen.mpg.de>
Fri, 28 Jul 2017 14:08:22 +0000 (16:08 +0200)
Commit 1709cc8f (server: Convert non-afs commands to lopsub) from
one year ago dropped the terminating NULL pointer from the array
of sender commands, presumably because the array size is declared
as the NUM_SENDER_CMDS enum constant, and this constant can be used
to iterate over all sender subcommands.

However, the loop in check_sender_args() of command.c does not
terminate the loop after NUM_SENDER_CMDS elements but only when it
encounters a NULL pointer. Hence, without the terminating NULL, the
code reads beyond the end of the array. The resulting invalid memory
access causes the command handler process to segfault.

Fix this by changing the termination condition of the loop to check
the loop variable against NUM_SENDER_CMDS.

command.c

index 5802d37..3943d6d 100644 (file)
--- a/command.c
+++ b/command.c
@@ -246,10 +246,10 @@ static int check_sender_args(struct command_context *cc,
                return -E_COMMAND_SYNTAX;
        scd->sender_num = i;
        arg = lls_input(1, lpr);
                return -E_COMMAND_SYNTAX;
        scd->sender_num = i;
        arg = lls_input(1, lpr);
-       for (i = 0; subcmds[i]; i++)
+       for (i = 0; i < NUM_SENDER_CMDS; i++)
                if (!strcmp(subcmds[i], arg))
                        break;
                if (!strcmp(subcmds[i], arg))
                        break;
-       if (!subcmds[i])
+       if (i == NUM_SENDER_CMDS)
                return -E_COMMAND_SYNTAX;
        scd->cmd_num = i;
        if (!senders[scd->sender_num].client_cmds[scd->cmd_num])
                return -E_COMMAND_SYNTAX;
        scd->cmd_num = i;
        if (!senders[scd->sender_num].client_cmds[scd->cmd_num])