OpenSLP 2.0.0.0 slpd crash if comma used in attr value on Windows platform
Brought to you by:
jcalcote
Menu
▾
▴
#146 OpenSLP 2.0.0.0 slpd crash if comma used in attr value on Windows platform
Case tested on Windows 7 x64 environment.
If any service declaration made with small lifetime and any of attributes values specified with comma symbol (service:test:// "(a=b),(c=d,e)") slpd will crash on lifetime ended.
Exceptional situation appears in SLPAttrFree function (libslpattr.c) at line 873:
var_free(attr); // where attr at the moment point to attribute named "c" in my example
Stack trace:
slpd.exe!var_free(xx_var_t * var=0x0000000000430870) Line 762 // Exception
slpd.exe!SLPAttrFree(void * slp_attr_h=0x00000000002681b0) Line 874
Seems that list in var not destroyed correctly:
static void var_list_destroy(var_t * var) (libslpattr.c) after Line 740
while (value)
{
to_free = value;
value = value->next_chunk; // Seems here should be value->next!!!
free(to_free);
// value->escaped_len: 1
// value->unescaped_len: 1
// value->data: {..... va_str "d....."
// value->next_chunk: NULL!!!
// value->next - not NULL!!! and expands to:
// value->next->next: NULL
// value->next->escaped_len: 1
// value->next->unescaped_len: 1
// value->next->data: {..... va_str "e....."
// value->next->next_chunk: NULL
}
value = value->next_chunk; -> value->next;
do not helps; even like reverse order deletion do not helps also
any way free(to_free); generates error! Could any body test, reproduce?
Any suggestions to fix?!