do_check_nonce: Don't free uninitialized memory on OOM

If _dbus_string_init() fails, it doesn't guarantee that the string
is initialized to anything in particular. Worse, if
_dbus_string_init (&buffer) fails, p would never have been initialized
at all, due to the use of the short-circuiting || operator.

Signed-off-by: Simon McVittie <smcv@collabora.com>
Reviewed-by: Philip Withnall <withnall@endlessm.com>
Bug: https://bugs.freedesktop.org/show_bug.cgi?id=103597
(cherry picked from commit 0ea0e4b0fddd1109835b8b9f7a8319d59c8d9303)

diff --git a/dbus/dbus-nonce.c b/dbus/dbus-nonce.c
index bc3286cc9db77d8e6541344c95fe0f2355f868fd..49f873693628ccfeb728dafb4f0b65c662d13057 100644 (file)
--- a/dbus/dbus-nonce.c
+++ b/dbus/dbus-nonce.c
@@ -43,6 +43,20 @@ do_check_nonce (DBusSocket fd, const DBusString *nonce, DBusError *error)
 
   nleft = 16;
 
+  /* This is a trick to make it safe to call _dbus_string_free on these
+   * strings during error unwinding, even if allocating memory for them
+   * fails. A constant DBusString is considered to be valid to "free",
+   * even though there is nothing to free (of course the free operation
+   * is trivial, because it does not own its own buffer); but
+   * unlike a mutable DBusString, initializing a constant DBusString
+   * cannot fail.
+   *
+   * We must successfully re-initialize the strings to be mutable before
+   * writing to them, of course.
+   */
+  _dbus_string_init_const (&buffer, "");
+  _dbus_string_init_const (&p, "");
+
   if (   !_dbus_string_init (&buffer)
       || !_dbus_string_init (&p) ) {
         dbus_set_error (error, DBUS_ERROR_NO_MEMORY, NULL);