Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[xfer] Avoid using stack-allocated memory in xfer_printf()
xfer_printf() occasionally has to deal with strings that are
potentially long, such as HTTP URIs with multiple query parameters.
Allocating these on the stack can lead to stack overruns and memory
corruption.

Fix by using vasprintf() instead of a stack allocation.

Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
mcb30 committed Apr 23, 2012
1 parent 5b18489 commit de26161
Showing 1 changed file with 19 additions and 7 deletions.
26 changes: 19 additions & 7 deletions src/core/xfer.c
Expand Up @@ -19,6 +19,7 @@
FILE_LICENCE ( GPL2_OR_LATER );

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <ipxe/iobuf.h>
Expand Down Expand Up @@ -297,17 +298,28 @@ int xfer_deliver_raw ( struct interface *intf, const void *data, size_t len ) {
*/
int xfer_vprintf ( struct interface *intf, const char *format,
va_list args ) {
size_t len;
va_list args_tmp;
char *buf;
int len;
int rc;

/* Create temporary string */
va_copy ( args_tmp, args );
len = vsnprintf ( NULL, 0, format, args );
{
char buf[len + 1];
vsnprintf ( buf, sizeof ( buf ), format, args_tmp );
va_end ( args_tmp );
return xfer_deliver_raw ( intf, buf, len );
len = vasprintf ( &buf, format, args );
if ( len < 0 ) {
rc = len;
goto err_asprintf;
}
va_end ( args_tmp );

/* Transmit string */
if ( ( rc = xfer_deliver_raw ( intf, buf, len ) ) != 0 )
goto err_deliver;

err_deliver:
free ( buf );
err_asprintf:
return rc;
}

/**
Expand Down

0 comments on commit de26161

Please sign in to comment.