Module: kamailio Branch: master Commit: f06e09b3a83f88678318f4aabeb6afdbf5a46ff0 URL: https://github.com/kamailio/kamailio/commit/f06e09b3a83f88678318f4aabeb6afd… Author: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Committer: Daniel-Constantin Mierla &lt;miconda(a)gmail.com&gt; Date: 2017-07-28T10:45:07+02:00 db_text: safety checks before memsets inside dbt_build_where() --- Modified: src/modules/db_text/dbt_raw_util.c --- Diff: https://github.com/kamailio/kamailio/commit/f06e09b3a83f88678318f4aabeb6afd… Patch: https://github.com/kamailio/kamailio/commit/f06e09b3a83f88678318f4aabeb6afd… --- diff --git a/src/modules/db_text/dbt_raw_util.c b/src/modules/db_text/dbt_raw_util.c index 92b60287d6..f5cf756e25 100644 --- a/src/modules/db_text/dbt_raw_util.c +++ b/src/modules/db_text/dbt_raw_util.c @@ -183,13 +183,12 @@ int dbt_build_where(char* where, db_key_t** _k, db_op_t** _o, db_val_t** _v) int offset = 0; int idx = -1; char int_buf[50]; + int res; *_k = NULL; *_o = NULL; *_v = NULL; - int res; - len = strlen(where); res = regcomp(&preg, _regexp, REG_EXTENDED); @@ -199,21 +198,21 @@ int dbt_build_where(char* where, db_key_t** _k, db_op_t** _o, db_val_t** _v) } _k1 = pkg_malloc(sizeof(db_key_t) * MAX_CLAUSES); - memset(_k1, 0, sizeof(db_key_t) * MAX_CLAUSES); _o1 = pkg_malloc(sizeof(char*) * MAX_CLAUSES); - memset(_o1, 0, sizeof(db_op_t) * MAX_CLAUSES); _v1 = pkg_malloc(sizeof(db_val_t) * MAX_CLAUSES); - memset(_v1, 0, sizeof(db_val_t) * MAX_CLAUSES); - matches = (regmatch_t*)pkg_malloc(sizeof(regmatch_t) * MAX_MATCH); - if(matches==NULL || _k1==NULL || _o1==NULL || _v1==NULL) { + + if(_k1==NULL || _o1==NULL || _v1==NULL || matches==NULL) { LM_ERR("error getting pkg memory\n"); - pkg_free(_k1); - pkg_free(_o1); - pkg_free(_v1); - pkg_free(matches); + if(_k1) pkg_free(_k1); + if(_o1) pkg_free(_o1); + if(_v1) pkg_free(_v1); + if(matches) pkg_free(matches); return -1; } + memset(_k1, 0, sizeof(db_key_t) * MAX_CLAUSES); + memset(_o1, 0, sizeof(char*) * MAX_CLAUSES); + memset(_v1, 0, sizeof(db_val_t) * MAX_CLAUSES); while(offset < len) { char* buffer = where + offset;