MT#59962 tcp_trsp_socket: `on_read()` protect against data overflow

Refactor it so, that it's not possible to go over what `unsigned long` offers (so 4,294,967,295). We are accumulating read bytes there, which can potentially be more than proposed 4,3Gb, for that case check out if the possible end result will overflow and close connection if this is likely to happen. Change-Id: I4e758292e77649ddfbcaaa7f8dc9f133e74c4600
3 weeks ago · 72a5549f88
parent 8e0ef6dcd7
commit 72a5549f88
1 changed files with 39 additions and 39 deletions
--- a/core/sip/tcp_trsp.cpp
+++ b/core/sip/tcp_trsp.cpp
@ -13,7 +13,6 @@
 #include <fcntl.h>
 #include <sys/ioctl.h>

-
 void tcp_trsp_socket::on_sock_read(int fd, short ev, void* arg)
 {
  if(ev & (EV_READ|EV_TIMEOUT)){
@ -301,58 +300,59 @@ void tcp_trsp_socket::on_read(short ev)
  ssize_t bytes = 0;
  char* old_cursor = (char*)get_input();

-  {// locked section
+  if(ev & EV_TIMEOUT) {
+    DBG("************ idle timeout: closing connection **********");
+    close();
+    return;
+  }
+
+  lock_guard<AmMutex> _l(sock_mut);
+  DBG("on_read (connected = %i)",connected);
+
+  bytes = ::read(sd, get_input(), get_input_free_space());
+
+  /* read succeeded */
+  if (bytes > 0) {
+    input_len += bytes;

-    if(ev & EV_TIMEOUT) {
-      DBG("************ idle timeout: closing connection **********");
+    DBG("received: <%.*s>",(int) bytes,old_cursor);
+
+    /* parse it */
+    if(parse_input() < 0) {
+      DBG("Error while parsing input: closing connection!");
      close();
-      return;
    }
+  }
+  /* failed */
+  else if (bytes < 0) {

-    lock_guard<AmMutex> _l(sock_mut);
-    DBG("on_read (connected = %i)",connected);
-
-    bytes = ::read(sd,get_input(),get_input_free_space());
-    if(bytes < 0) {
-      switch(errno) {
+    switch(errno)
+    {
      case EAGAIN:
-	return; // nothing to read
+        return; /* nothing to read */

      case ECONNRESET:
      case ENOTCONN:
-	DBG("connection has been closed (sd=%i)",sd);
-	close();
-	return;
+        DBG("connection has been closed (sd=%i)",sd);
+        close();
+        return;

      case ETIMEDOUT:
-	DBG("transmission timeout (sd=%i)",sd);
-	close();
-	return;
+        DBG("transmission timeout (sd=%i)",sd);
+        close();
+        return;

      default:
-	DBG("unknown error (%i): %s",errno,strerror(errno));
-	close();
-	return;
-      }
-    }
-    else if(bytes == 0) {
-      // connection closed
-      DBG("connection has been closed (sd=%i)",sd);
-      close();
-      return;
+        DBG("unknown error (%i): %s",errno,strerror(errno));
+        close();
+        return;
    }
-  }// end of - locked section
-
-  input_len += bytes;
-
-  DBG("received: <%.*s>",(int) bytes,old_cursor);
-
-  // ... and parse it
-  if(parse_input() < 0) {
-    DBG("Error while parsing input: closing connection!");
-    sock_mut.lock();
+  }
+  /* EOF */
+  else {
+    DBG("connection has been closed (sd=%i)", sd);
    close();
-    sock_mut.unlock();
+    return;
  }
 }