projects
/
lttng-tools.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fix: illegal memory access in list_events
[lttng-tools.git]
/
src
/
bin
/
lttng-sessiond
/
agent.c
diff --git
a/src/bin/lttng-sessiond/agent.c
b/src/bin/lttng-sessiond/agent.c
index afc3712a7127007b8d06b19bcd815893fcc33e68..791538b77ea20a3b4db0294b1c2b985ea630691a 100644
(file)
--- a/
src/bin/lttng-sessiond/agent.c
+++ b/
src/bin/lttng-sessiond/agent.c
@@
-124,7
+124,7
@@
static void destroy_event_agent_rcu(struct rcu_head *head)
struct agent_event *event =
caa_container_of(node, struct agent_event, node);
struct agent_event *event =
caa_container_of(node, struct agent_event, node);
-
free
(event);
+
agent_destroy_event
(event);
}
/*
}
/*
@@
-288,8
+288,11
@@
static ssize_t list_events(struct agent_app *app, struct lttng_event **events)
for (i = 0; i < nb_event; i++) {
offset += len;
for (i = 0; i < nb_event; i++) {
offset += len;
- strncpy(tmp_events[i].name, reply->payload + offset,
- sizeof(tmp_events[i].name));
+ if (lttng_strncpy(tmp_events[i].name, reply->payload + offset,
+ sizeof(tmp_events[i].name))) {
+ ret = LTTNG_ERR_INVALID;
+ goto error;
+ }
tmp_events[i].pid = app->pid;
tmp_events[i].enabled = -1;
len = strlen(reply->payload + offset) + 1;
tmp_events[i].pid = app->pid;
tmp_events[i].enabled = -1;
len = strlen(reply->payload + offset) + 1;
@@
-392,14
+395,17
@@
static int disable_event(struct agent_app *app, struct agent_event *event)
app->pid, app->sock->fd);
data_size = sizeof(msg);
app->pid, app->sock->fd);
data_size = sizeof(msg);
+ memset(&msg, 0, sizeof(msg));
+ if (lttng_strncpy(msg.name, event->name, sizeof(msg.name))) {
+ ret = LTTNG_ERR_INVALID;
+ goto error;
+ }
ret = send_header(app->sock, data_size, AGENT_CMD_DISABLE, 0);
if (ret < 0) {
goto error_io;
}
ret = send_header(app->sock, data_size, AGENT_CMD_DISABLE, 0);
if (ret < 0) {
goto error_io;
}
- memset(&msg, 0, sizeof(msg));
- strncpy(msg.name, event->name, sizeof(msg.name));
ret = send_payload(app->sock, &msg, sizeof(msg));
if (ret < 0) {
goto error_io;
ret = send_payload(app->sock, &msg, sizeof(msg));
if (ret < 0) {
goto error_io;
@@
-443,7
+449,7
@@
int agent_send_registration_done(struct agent_app *app)
DBG("Agent sending registration done to app socket %d", app->sock->fd);
DBG("Agent sending registration done to app socket %d", app->sock->fd);
- return send_header(app->sock, 0, AGENT_CMD_REG_DONE,
0
);
+ return send_header(app->sock, 0, AGENT_CMD_REG_DONE,
1
);
}
/*
}
/*
@@
-493,11
+499,14
@@
error:
int agent_disable_event(struct agent_event *event,
enum lttng_domain_type domain)
{
int agent_disable_event(struct agent_event *event,
enum lttng_domain_type domain)
{
- int ret;
+ int ret
= LTTNG_OK
;
struct agent_app *app;
struct lttng_ht_iter iter;
assert(event);
struct agent_app *app;
struct lttng_ht_iter iter;
assert(event);
+ if (!event->enabled) {
+ goto end;
+ }
rcu_read_lock();
rcu_read_lock();
@@
-515,10
+524,10
@@
int agent_disable_event(struct agent_event *event,
}
event->enabled = 0;
}
event->enabled = 0;
- ret = LTTNG_OK;
error:
rcu_read_unlock();
error:
rcu_read_unlock();
+end:
return ret;
}
return ret;
}
@@
-911,12
+920,12
@@
void agent_destroy_event(struct agent_event *event)
assert(event);
free(event->filter);
assert(event);
free(event->filter);
+ free(event->filter_expression);
free(event);
}
/*
free(event);
}
/*
- * Destroy an agent completely. Note that the given pointer is NOT freed
- * thus a reference to static or stack data can be passed to this function.
+ * Destroy an agent completely.
*/
void agent_destroy(struct agent *agt)
{
*/
void agent_destroy(struct agent *agt)
{
@@
-955,6
+964,7
@@
void agent_destroy(struct agent *agt)
rcu_read_unlock();
ht_cleanup_push(agt->events);
rcu_read_unlock();
ht_cleanup_push(agt->events);
+ free(agt);
}
/*
}
/*
This page took
0.026825 seconds
and
4
git commands to generate.