We're not accounting for the action in the event header (only the device
string) when we pass the length of param data to event_parse_params.
This means we walk past the end of the event data while parsing params.
Signed-off-by: Jeremy Kerr <jk@ozlabs.org>
static int event_parse_ad_header(char *buf, int len, enum event_action *action,
char **device)
{
static int event_parse_ad_header(char *buf, int len, enum event_action *action,
char **device)
{
char *sep;
*action = 0;
*device = NULL;
char *sep;
*action = 0;
*device = NULL;
+ headerlen = strnlen(buf, len);
+
+ if (!headerlen) {
+ pb_log("%s: bad header, no data\n", __func__);
+ return -1;
+ }
/* we should see an <action>@<device>\0 at the head of the buffer */
sep = strchr(buf, '@');
/* we should see an <action>@<device>\0 at the head of the buffer */
sep = strchr(buf, '@');
/* terminate the action string */
*sep = '\0';
/* terminate the action string */
*sep = '\0';
if (streq(buf, "add"))
*action = EVENT_ACTION_ADD;
if (streq(buf, "add"))
*action = EVENT_ACTION_ADD;
int event_parse_ad_message(struct event *event, char *buf, int len)
{
int event_parse_ad_message(struct event *event, char *buf, int len)
{
- int result;
- char *device;
enum event_action action;
enum event_action action;
+ int headerlen;
+ char *device;
- result = event_parse_ad_header(buf, len, &action, &device);
+ headerlen = event_parse_ad_header(buf, len, &action, &device);
- device_len = strlen(device);
-
/* now we have an action and a device, we can construct the event */
event->action = action;
/* now we have an action and a device, we can construct the event */
event->action = action;
- event->device = talloc_strndup(event, device, device_len);
+ event->device = talloc_strdup(event, device);
event->n_params = 0;
event->params = NULL;
event->n_params = 0;
event->params = NULL;
- len -= device_len + 1;
- event_parse_params(event, device + device_len + 1, len);
+ len -= headerlen + 1;
+ buf += headerlen + 1;
+ event_parse_params(event, buf, len);