]>
Commit | Line | Data |
---|---|---|
7fc65fb9 JR |
1 | diff --git a/src/xdr.c b/src/xdr.c |
2 | index 764c30f..292723b 100644 | |
3 | --- a/src/xdr.c | |
4 | +++ b/src/xdr.c | |
5 | @@ -669,6 +669,8 @@ xdr_string(xdrs, cpp, maxsize) | |
6 | } | |
7 | /* FALLTHROUGH */ | |
8 | case XDR_ENCODE: | |
9 | + if (sp == NULL) | |
10 | + return FALSE; | |
11 | size = strlen(sp); | |
12 | break; | |
13 | case XDR_DECODE: | |
14 | @@ -681,6 +683,13 @@ xdr_string(xdrs, cpp, maxsize) | |
15 | return (FALSE); | |
16 | } | |
17 | nodesize = size + 1; | |
18 | + if (nodesize == 0) { | |
19 | + /* This means an overflow. It a bug in the caller which | |
20 | + * provided a too large maxsize but nevertheless catch it | |
21 | + * here. | |
22 | + */ | |
23 | + return FALSE; | |
24 | + } | |
25 | ||
26 | /* | |
27 | * now deal with the actual bytes | |
28 | @@ -688,9 +697,6 @@ xdr_string(xdrs, cpp, maxsize) | |
29 | switch (xdrs->x_op) { | |
30 | ||
31 | case XDR_DECODE: | |
32 | - if (nodesize == 0) { | |
33 | - return (TRUE); | |
34 | - } | |
35 | if (sp == NULL) | |
36 | *cpp = sp = mem_alloc(nodesize); | |
37 | if (sp == NULL) { |