From: Alain Spineux Date: Thu, 24 Oct 2019 13:12:56 +0000 (+0200) Subject: tray-monitor: fix potential memory corruption X-Git-Tag: Release-9.6.0~51 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=11124c29f0bff902bc215baab22fbbd6aad263bf;p=thirdparty%2Fbacula.git tray-monitor: fix potential memory corruption - init_resource() initialize a resource using the wrong size - rename one of the two init_resource() (with a '0') because they now have a similar parameters and are difficult to differentiate --- diff --git a/bacula/src/lib/parse_conf.c b/bacula/src/lib/parse_conf.c index d566ba110..7473947c9 100644 --- a/bacula/src/lib/parse_conf.c +++ b/bacula/src/lib/parse_conf.c @@ -252,7 +252,7 @@ bool CONFIG::insert_res(int rindex, int size) * Initialize the static structure to zeros, then * apply all the default values. */ -static void init_resource(CONFIG *config, int type, RES_ITEM *items, int pass) +static void init_resource0(CONFIG *config, int type, RES_ITEM *items, int pass) { int i; int rindex = type - r_first; @@ -295,7 +295,7 @@ static void init_resource(CONFIG *config, int type, RES_ITEM *items, int pass) } /* Initialize a resouce with default values */ -bool init_resource(CONFIG *config, uint32_t type, void *res) +bool init_resource(CONFIG *config, uint32_t type, void *res, int size) { RES_ITEM *items; for (int i=0; resources[i].name; i++) { @@ -304,8 +304,8 @@ bool init_resource(CONFIG *config, uint32_t type, void *res) if (!items) { return false; } - init_resource(config, type, items, 1); - memcpy(res, config->m_res_all, config->m_res_all_size); + init_resource0(config, type, items, 1); + memcpy(res, config->m_res_all, size); return true; } } @@ -1107,7 +1107,7 @@ bool CONFIG::parse_config() } state = p_resource; res_type = resources[i].rcode; - init_resource(this, res_type, items, pass); + init_resource0(this, res_type, items, pass); break; } } diff --git a/bacula/src/lib/parse_conf.h b/bacula/src/lib/parse_conf.h index 6fb5a1998..23ac84860 100644 --- a/bacula/src/lib/parse_conf.h +++ b/bacula/src/lib/parse_conf.h @@ -289,7 +289,7 @@ void b_UnlockRes(const char *file, int line); void dump_resource(int type, RES *res, void sendmsg(void *sock, const char *fmt, ...), void *sock); void dump_each_resource(int type, void sendmsg(void *sock, const char *fmt, ...), void *sock); void free_resource(RES *res, int type); -bool init_resource(CONFIG *config, uint32_t type, void *res); +bool init_resource(CONFIG *config, uint32_t type, void *res, int size); bool save_resource(CONFIG *config, int type, RES_ITEM *item, int pass); void unstrip_password(RES_TABLE *resources); /* Used for json stuff */ void strip_password(RES_TABLE *resources); /* Used for tray monitor */ diff --git a/bacula/src/qt-console/tray-monitor/conf.cpp b/bacula/src/qt-console/tray-monitor/conf.cpp index 729b559e7..d512014a1 100644 --- a/bacula/src/qt-console/tray-monitor/conf.cpp +++ b/bacula/src/qt-console/tray-monitor/conf.cpp @@ -337,7 +337,7 @@ void Conf::addResource(RESMON *res, const char *title) void Conf::addRes(int type, const char *title) { RESMON *res = (RESMON *) malloc(sizeof(RESMON)); - init_resource(config, type, res); + init_resource(config, type, res, sizeof(RESMON)); res->type = type; // Not sure it's set by init_resource res->new_resource = true; // We want to free this resource with the ConfTab addResource(res, title);