diff options
| author | Michael Brown <mcb30@etherboot.org> | 2009-02-12 09:16:53 +0000 |
|---|---|---|
| committer | Michael Brown <mcb30@etherboot.org> | 2009-02-12 09:16:53 +0000 |
| commit | 4e6b62c94627d1e05aa986f66054df5f841fe53b (patch) | |
| tree | fb4b8e7ef50b599fe98c2e485177b7e050b85893 | |
| parent | 8e960eb67c3c3974f4eca34e1fe733791f70ca09 (diff) | |
| download | ipxe-4e6b62c94627d1e05aa986f66054df5f841fe53b.tar.gz | |
[settings] Handle errors in fetchf_uristring()
fetchf_uristring() was failing to handle error values from
fetch_setting(), resulting in its attempting to allocate extremely
large temporary buffers on the stack (and so overrunning the stack and
locking up the machine).
Problem reported by Shao Miller <Shao.Miller@yrdsb.edu.on.ca>.
| -rw-r--r-- | src/core/settings.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/src/core/settings.c b/src/core/settings.c index 2c886fdf..29e56b32 100644 --- a/src/core/settings.c +++ b/src/core/settings.c @@ -825,12 +825,15 @@ static int storef_uristring ( struct settings *settings, static int fetchf_uristring ( struct settings *settings, struct setting *setting, char *buf, size_t len ) { - size_t raw_len; + ssize_t raw_len; /* We need to always retrieve the full raw string to know the * length of the encoded string. */ raw_len = fetch_setting ( settings, setting, NULL, 0 ); + if ( raw_len < 0 ) + return raw_len; + { char raw_buf[ raw_len + 1 ]; |