BUG/MEDIUM: 51d: possible incorrect operations on smp->data.str.str
In src/51d.c, the function _51d_conv(), a final '\0' is added into
smp->data.str.str, which can cause a problem if the SMP_F_CONST flag is
set in smp->flags or if smp->data.str.size is not available.
This patch adds a check on smp->flags and smp->data.str.size, and copies
the smp->data.str.str to another buffer by using smp_dup(). If necessary,
the "const" flag is set after device detection. Also, this patch removes
the unnecessary call to chunk_reset() on temp argument.
diff --git a/src/51d.c b/src/51d.c
index abb5cce..6f17c28 100644
--- a/src/51d.c
+++ b/src/51d.c
@@ -127,6 +127,7 @@
lru = lru64_get(XXH64(smp->data.str.str, smp->data.str.len, seed),
_51d_lru_tree, global._51degrees.data_file_path, 0);
if (lru && lru->domain) {
+ smp->flags |= SMP_F_CONST;
smp->data.str.str = lru->data;
smp->data.str.len = strlen(smp->data.str.str);
return 1;
@@ -140,6 +141,10 @@
return 0;
#endif
+ /* Duplicate the data and remove the "const" flag before device detection. */
+ if (!smp_dup(smp))
+ return 0;
+
smp->data.str.str[smp->data.str.len] = '\0';
/* Perform detection. */
@@ -152,7 +157,6 @@
i = 0;
temp = get_trash_chunk();
- chunk_reset(temp);
/* Loop through property names passed to the filter and fetch them from the dataset. */
while (args[i].data.str.str) {
@@ -198,8 +202,10 @@
fiftyoneDegreesFreeWorkset(ws);
#endif
- if (lru)
+ if (lru) {
+ smp->flags |= SMP_F_CONST;
lru64_commit(lru, strdup(smp->data.str.str), global._51degrees.data_file_path, 0, free);
+ }
return 1;
}