From 82d42863354dda53a8aa4d52b62608dd589bc7c6 Mon Sep 17 00:00:00 2001 From: Sachin Kumar Gupta Date: Thu, 18 Sep 2014 15:28:29 +0530 Subject: [PATCH LIBICE] Dereferencing of freed iceConn #83235 Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=83235 It incorporates changes in (a) ICEmsg.h: Fix other macros to check for _iceConn being NULL before dereferencing it. (b) misc.c: Function _IceReadSkip's return type has been modified to return 0 when _IceRead frees iceConn and 1 in other cases. (c) process.c: Check for _iceConn being NULL before dereferencing it. (d) protosetup.c: To handle the situation when in function 'IceProtocolSetup' the function call to 'IceProcessMessages' at line 196, which internally calls '_IceRead' which may free '_iceConn', leads to derefercing of already freed iceConn. Signed-off-by: Sachin Kumar Gupta --- include/X11/ICE/ICEmsg.h | 217 ++++++++++++++++++++++++++++------------------ src/misc.c | 7 +- src/process.c | 131 +++++++++++++++------------- src/protosetup.c | 14 +++- 4 files changed, 219 insertions(+), 150 deletions(-) diff --git a/include/X11/ICE/ICEmsg.h b/include/X11/ICE/ICEmsg.h index f6e7121..a8a7909 100644 --- a/include/X11/ICE/ICEmsg.h +++ b/include/X11/ICE/ICEmsg.h @@ -45,7 +45,7 @@ extern Status _IceRead ( char * /* ptr */ ); -extern void _IceReadSkip ( +extern Status _IceReadSkip ( IceConn /* iceConn */, unsigned long /* nbytes */ ); @@ -123,48 +123,55 @@ extern IcePaAuthStatus _IcePaMagicCookie1Proc ( */ #define IceGetHeader(_iceConn, _major, _minor, _headerSize, _msgType, _pMsg) \ - if ((_iceConn->outbufptr + _headerSize) > _iceConn->outbufmax) \ - IceFlush (_iceConn); \ - _pMsg = (_msgType *) _iceConn->outbufptr; \ - _pMsg->majorOpcode = _major; \ - _pMsg->minorOpcode = _minor; \ - _pMsg->length = (_headerSize - SIZEOF (iceMsg)) >> 3; \ - _iceConn->outbufptr += _headerSize; \ - _iceConn->send_sequence++ + if (_iceConn && _iceConn->outbufptr && _iceConn->outbufmax && _iceConn->send_sequence) { \ + if ((_iceConn->outbufptr + _headerSize) > _iceConn->outbufmax) \ + IceFlush (_iceConn); \ + _pMsg = (_msgType *) _iceConn->outbufptr; \ + _pMsg->majorOpcode = _major; \ + _pMsg->minorOpcode = _minor; \ + _pMsg->length = (_headerSize - SIZEOF (iceMsg)) >> 3; \ + _iceConn->outbufptr += _headerSize; \ + _iceConn->send_sequence++; \ + } #define IceGetHeaderExtra(_iceConn, _major, _minor, _headerSize, _extra, _msgType, _pMsg, _pData) \ - if ((_iceConn->outbufptr + \ - _headerSize + ((_extra) << 3)) > _iceConn->outbufmax) \ - IceFlush (_iceConn); \ - _pMsg = (_msgType *) _iceConn->outbufptr; \ - if ((_iceConn->outbufptr + \ - _headerSize + ((_extra) << 3)) <= _iceConn->outbufmax) \ - _pData = (char *) _pMsg + _headerSize; \ + if (_iceConn && _iceConn->outbufptr && _iceConn->outbufmax && _iceConn->send_sequence ) { \ + if ((_iceConn->outbufptr + \ + _headerSize + ((_extra) << 3)) > _iceConn->outbufmax) \ + IceFlush (_iceConn); \ + _pMsg = (_msgType *) _iceConn->outbufptr; \ + if ((_iceConn->outbufptr + \ + _headerSize + ((_extra) << 3)) <= _iceConn->outbufmax) \ + _pData = (char *) _pMsg + _headerSize; \ else \ _pData = NULL; \ _pMsg->majorOpcode = _major; \ _pMsg->minorOpcode = _minor; \ _pMsg->length = ((_headerSize - SIZEOF (iceMsg)) >> 3) + (_extra); \ _iceConn->outbufptr += (_headerSize + ((_extra) << 3)); \ - _iceConn->send_sequence++ - + _iceConn->send_sequence++; \ + } #define IceSimpleMessage(_iceConn, _major, _minor) \ { \ - iceMsg *_pMsg; \ - IceGetHeader (_iceConn, _major, _minor, SIZEOF (iceMsg), iceMsg, _pMsg); \ -} + if (_iceConn) { \ + iceMsg *_pMsg; \ + IceGetHeader (_iceConn, _major, _minor, SIZEOF (iceMsg), iceMsg, _pMsg); \ + } \ + } #define IceErrorHeader(_iceConn, _offendingMajorOpcode, _offendingMinorOpcode, _offendingSequenceNum, _severity, _errorClass, _dataLength) \ { \ - iceErrorMsg *_pMsg; \ + if (_iceConn) { \ + iceErrorMsg *_pMsg; \ \ - IceGetHeader (_iceConn, _offendingMajorOpcode, ICE_Error, \ - SIZEOF (iceErrorMsg), iceErrorMsg, _pMsg); \ - _pMsg->length += (_dataLength); \ - _pMsg->offendingMinorOpcode = (CARD8) _offendingMinorOpcode; \ - _pMsg->severity = (CARD8) _severity; \ - _pMsg->offendingSequenceNum = (CARD32) _offendingSequenceNum; \ - _pMsg->errorClass = (CARD16) _errorClass; \ + IceGetHeader (_iceConn, _offendingMajorOpcode, ICE_Error, \ + SIZEOF (iceErrorMsg), iceErrorMsg, _pMsg); \ + _pMsg->length += (_dataLength); \ + _pMsg->offendingMinorOpcode = (CARD8) _offendingMinorOpcode; \ + _pMsg->severity = (CARD8) _severity; \ + _pMsg->offendingSequenceNum = (CARD32) _offendingSequenceNum; \ + _pMsg->errorClass = (CARD16) _errorClass; \ + } \ } @@ -174,18 +181,21 @@ extern IcePaAuthStatus _IcePaMagicCookie1Proc ( #define IceWriteData(_iceConn, _bytes, _data) \ { \ - if ((_iceConn->outbufptr + (_bytes)) > _iceConn->outbufmax) \ - { \ - IceFlush (_iceConn); \ - _IceWrite (_iceConn, (unsigned long) (_bytes), _data); \ - } \ - else \ - { \ - memcpy (_iceConn->outbufptr, _data, _bytes); \ - _iceConn->outbufptr += (_bytes); \ - } \ + if (_iceConn &&_iceConn->outbufptr && _iceConn->outbufmax ) { \ + if ((_iceConn->outbufptr + (_bytes)) > _iceConn->outbufmax) \ + { \ + IceFlush (_iceConn); \ + _IceWrite (_iceConn, (unsigned long) (_bytes), _data); \ + } \ + else \ + { \ + memcpy (_iceConn->outbufptr, _data, _bytes); \ + _iceConn->outbufptr += (_bytes); \ + } \ + }\ } + #define IceWriteData16(_iceConn, _bytes, _data) \ IceWriteData (_iceConn, _bytes, (char *) _data) @@ -201,9 +211,11 @@ extern IcePaAuthStatus _IcePaMagicCookie1Proc ( #define IceSendData(_iceConn, _bytes, _data) \ { \ - if (_iceConn->outbufptr > _iceConn->outbuf) \ - IceFlush (_iceConn); \ - _IceWrite (_iceConn, (unsigned long) (_bytes), _data); \ + if (_iceConn &&_iceConn->outbufptr) { \ + if (_iceConn->outbufptr > _iceConn->outbuf) \ + IceFlush (_iceConn); \ + _IceWrite (_iceConn, (unsigned long) (_bytes), _data); \ + } \ } @@ -214,74 +226,105 @@ extern IcePaAuthStatus _IcePaMagicCookie1Proc ( #define IceWritePad(_iceConn, _bytes) \ { \ - if ((_iceConn->outbufptr + (_bytes)) > _iceConn->outbufmax) \ - { \ - char _dummy[7] = { 0 }; \ - IceFlush (_iceConn); \ - _IceWrite (_iceConn, (unsigned long) (_bytes), _dummy); \ - } \ - else \ - { \ - _iceConn->outbufptr += (_bytes); \ - } \ + if (_iceConn &&_iceConn->outbufptr) { \ + if ((_iceConn->outbufptr + (_bytes)) > _iceConn->outbufmax) \ + { \ + char _dummy[7] = { 0 }; \ + IceFlush (_iceConn); \ + _IceWrite (_iceConn, (unsigned long) (_bytes), _dummy); \ + } \ + else \ + { \ + _iceConn->outbufptr += (_bytes); \ + } \ + } \ } - /* * Macros for reading messages. */ -#define IceReadCompleteMessage(_iceConn, _headerSize, _msgType, _pMsg, _pData)\ +#define IceReadCompleteMessage(_iceConn, _headerSize, _msgType, _pMsg, _pData) \ { \ - unsigned long _bytes; \ - IceReadMessageHeader (_iceConn, _headerSize, _msgType, _pMsg); \ - _bytes = (_pMsg->length << 3) - (_headerSize - SIZEOF (iceMsg)); \ - if ((_iceConn->inbufmax - _iceConn->inbufptr) >= _bytes) \ - { \ - _IceRead (_iceConn, _bytes, _iceConn->inbufptr); \ - _pData = _iceConn->inbufptr; \ - _iceConn->inbufptr += _bytes; \ - } \ - else \ - { \ - _pData = malloc (_bytes); \ - if (_pData) \ - _IceRead (_iceConn, _bytes, _pData); \ + if (_iceConn &&_iceConn->inbufmax && _iceConn->inbufptr){ \ + unsigned long _bytes; \ + IceReadMessageHeader (_iceConn, _headerSize, _msgType, _pMsg); \ + _bytes = (_pMsg->length << 3) - (_headerSize - SIZEOF (iceMsg)); \ + if ((_iceConn->inbufmax - _iceConn->inbufptr) >= _bytes) \ + { \ + if (!_IceRead (_iceConn, _bytes, _iceConn->inbufptr)) \ + _iceConn = NULL; \ + else{ \ + _pData = _iceConn->inbufptr; \ + _iceConn->inbufptr += _bytes; \ + } \ + } \ else \ - _IceReadSkip (_iceConn, _bytes); \ - } \ + { \ + _pData = (char *) malloc ((unsigned) _bytes); \ + if (_pData) { \ + if (! _IceRead (_iceConn, _bytes, _pData)) \ + _iceConn = NULL; \ + } \ + else \ + if(! _IceReadSkip (_iceConn, _bytes)) \ + _iceConn = NULL; \ + } \ + } \ } + #define IceDisposeCompleteMessage(_iceConn, _pData) \ - if ((char *) _pData < _iceConn->inbuf || \ - (char *) _pData >= _iceConn->inbufmax) \ - free (_pData); + if (_iceConn && _iceConn->inbuf && _iceConn->inbufmax ){ \ + if ((char *) _pData < _iceConn->inbuf || \ + (char *) _pData >= _iceConn->inbufmax) \ + free (_pData); \ + } #define IceReadSimpleMessage(_iceConn, _msgType, _pMsg) \ - _pMsg = (_msgType *) (_iceConn->inbuf); + if (_iceConn && _iceConn->inbuf) \ + _pMsg = (_msgType *) (_iceConn->inbuf); #define IceReadMessageHeader(_iceConn, _headerSize, _msgType, _pMsg) \ { \ - _IceRead (_iceConn, \ - (unsigned long) (_headerSize - SIZEOF (iceMsg)), \ - _iceConn->inbufptr); \ - _pMsg = (_msgType *) (_iceConn->inbuf); \ - _iceConn->inbufptr += (_headerSize - SIZEOF (iceMsg)); \ + if (_iceConn &&_iceConn->inbufptr && _iceConn->inbuf) {\ + if (!_IceRead (_iceConn, \ + (unsigned long) (_headerSize - SIZEOF (iceMsg)), \ + _iceConn->inbufptr) \ + ) { \ + _iceConn = NULL; \ + } \ + else { \ + _pMsg = (_msgType *) (_iceConn->inbuf); \ + _iceConn->inbufptr += (_headerSize - SIZEOF (iceMsg)); \ + }\ + } \ } #define IceReadData(_iceConn, _bytes, _pData) \ - _IceRead (_iceConn, (unsigned long) (_bytes), (char *) _pData); \ - + if (_iceConn) \ + if (!_IceRead (_iceConn, (unsigned long) (_bytes), (char *) _pData)) \ + _iceConn = NULL; + + + #define IceReadData16(_iceConn, _swap, _bytes, _pData) \ { \ - _IceRead (_iceConn, (unsigned long) (_bytes), (char *) _pData); \ + if (_iceConn){ \ + if (!_IceRead (_iceConn, (unsigned long) (_bytes), (char *) _pData)) \ + _iceConn = NULL; \ + } \ } #define IceReadData32(_iceConn, _swap, _bytes, _pData) \ { \ - _IceRead (_iceConn, (unsigned long) (_bytes), (char *) _pData); \ -} + if (_iceConn) { \ + if (! _IceRead (_iceConn, (unsigned long) (_bytes), (char *) _pData)) \ + _iceConn = NULL;\ + }\ + } + /* @@ -292,9 +335,13 @@ extern IcePaAuthStatus _IcePaMagicCookie1Proc ( #define IceReadPad(_iceConn, _bytes) \ { \ char _dummy[7]; \ - _IceRead (_iceConn, (unsigned long) (_bytes), _dummy); \ + if (_iceConn) { \ + if (! _IceRead (_iceConn, (unsigned long) (_bytes), _dummy)) \ + iceConn = NULL; \ + }\ } + _XFUNCPROTOEND #endif /* _ICEMSG_H_ */ diff --git a/src/misc.c b/src/misc.c index d2e9150..77d200a 100644 --- a/src/misc.c +++ b/src/misc.c @@ -309,7 +309,7 @@ _IceRead ( * message can be processed correctly. */ -void +Status _IceReadSkip ( register IceConn iceConn, register unsigned long nbytes @@ -321,9 +321,12 @@ _IceReadSkip ( { unsigned long rbytes = nbytes > 512 ? 512 : nbytes; - _IceRead (iceConn, rbytes, temp); + if(!_IceRead (iceConn, rbytes, temp)) + return 0; nbytes -= rbytes; } + + return 1; } diff --git a/src/process.c b/src/process.c index f0c3369..494ef70 100644 --- a/src/process.c +++ b/src/process.c @@ -39,32 +39,40 @@ Author: Ralph Mor, X Consortium */ #define CHECK_SIZE_MATCH(_iceConn, _opcode, _expected_len, _actual_len, _severity, _return) \ - if ((((_actual_len) - SIZEOF (iceMsg)) >> 3) != _expected_len) \ - { \ - _IceErrorBadLength (_iceConn, 0, _opcode, _severity); \ - return (_return); \ + if (_iceConn){ \ + if ((((_actual_len) - SIZEOF (iceMsg)) >> 3) != _expected_len) \ + { \ + _IceErrorBadLength (_iceConn, 0, _opcode, _severity); \ + return (_return); \ + } \ } #define CHECK_AT_LEAST_SIZE(_iceConn, _opcode, _expected_len, _actual_len, _severity) \ - if ((((_actual_len) - SIZEOF (iceMsg)) >> 3) > _expected_len) \ - { \ - _IceErrorBadLength (_iceConn, 0, _opcode, _severity); \ - return (0); \ + if (_iceConn) { \ + if ((((_actual_len) - SIZEOF (iceMsg)) >> 3) > _expected_len) \ + { \ + _IceErrorBadLength (_iceConn, 0, _opcode, _severity); \ + return (0); \ + } \ } #define CHECK_COMPLETE_SIZE(_iceConn, _opcode, _expected_len, _actual_len, _pStart, _severity) \ - if (((PADDED_BYTES64((_actual_len)) - SIZEOF (iceMsg)) >> 3) \ - != _expected_len) \ - { \ - _IceErrorBadLength (_iceConn, 0, _opcode, _severity); \ - IceDisposeCompleteMessage (iceConn, _pStart); \ - return (0); \ + if (_iceConn) { \ + if (((PADDED_BYTES64((_actual_len)) - SIZEOF (iceMsg)) >> 3) \ + != _expected_len) \ + { \ + _IceErrorBadLength (_iceConn, 0, _opcode, _severity); \ + IceDisposeCompleteMessage (iceConn, _pStart); \ + return (0); \ + }\ } #define BAIL_STRING(_iceConn, _opcode, _pStart) {\ - _IceErrorBadLength (_iceConn, 0, _opcode, IceFatalToConnection);\ - IceDisposeCompleteMessage (_iceConn, _pStart);\ - return (0);\ + if(_iceConn) { \ + _IceErrorBadLength (_iceConn, 0, _opcode, IceFatalToConnection);\ + IceDisposeCompleteMessage (_iceConn, _pStart);\ + return (0);\ +} \ } #ifndef HAVE_ASPRINTF @@ -200,7 +208,7 @@ IceProcessMessages ( * that the connection was closed, _IceRead returns status 0. * Since the connection was closed, we just want to return here. */ - + return (IceProcessMessagesConnectionClosed); } @@ -363,7 +371,8 @@ IceProcessMessages ( _IceErrorBadMajor (iceConn, header->majorOpcode, header->minorOpcode, IceCanContinue); - _IceReadSkip (iceConn, header->length << 3); + if( !_IceReadSkip (iceConn, header->length << 3)) + iceConn = NULL; } else { @@ -390,11 +399,12 @@ IceProcessMessages ( } } } - - if (replyReady) - { + if (iceConn) + { + if (replyReady) + { _IceSetReplyReady (iceConn, useThisReplyWait); - } + } /* @@ -403,8 +413,8 @@ IceProcessMessages ( * replyWait list if it is ready. */ - if (replyWait) - *replyReadyRet = _IceCheckReplyReady (iceConn, replyWait); + if ( replyWait) + *replyReadyRet = _IceCheckReplyReady (iceConn, replyWait); /* @@ -413,19 +423,19 @@ IceProcessMessages ( * possible bad IO status. */ - iceConn->dispatch_level--; + iceConn->dispatch_level--; - if (iceConn->dispatch_level == 0 && iceConn->free_asap) - { + if (iceConn->dispatch_level == 0 && iceConn->free_asap) + { _IceFreeConnection (iceConn); retStatus = IceProcessMessagesConnectionClosed; - } - else if (!iceConn->io_ok) - { - iceConn->connection_status = IceConnectIOError; - retStatus = IceProcessMessagesIOError; - } - + } + else if (!iceConn->io_ok) + { + iceConn->connection_status = IceConnectIOError; + retStatus = IceProcessMessagesIOError; + } + } return (retStatus); } @@ -609,7 +619,7 @@ ProcessError ( IceReadCompleteMessage (iceConn, SIZEOF (iceErrorMsg), iceErrorMsg, message, pStart); - if (!IceValidIO (iceConn)) + if (iceConn && !IceValidIO (iceConn)) { IceDisposeCompleteMessage (iceConn, pStart); return (0); @@ -641,7 +651,7 @@ ProcessError ( } else { - if (iceConn->connect_to_you && + if (iceConn && iceConn->connect_to_you && ((!iceConn->connect_to_you->auth_active && message->offendingMinorOpcode == ICE_ConnectionSetup) || (iceConn->connect_to_you->auth_active && @@ -707,7 +717,7 @@ ProcessError ( errorReply->type = ICE_CONNECTION_ERROR; errorReply->error_message = errorStr; } - else if (iceConn->protosetup_to_you && + else if (iceConn && iceConn->protosetup_to_you && ((!iceConn->protosetup_to_you->auth_active && message->offendingMinorOpcode == ICE_ProtocolSetup) || (iceConn->protosetup_to_you->auth_active && @@ -807,7 +817,7 @@ ProcessError ( IcePoAuthProc authProc; - if (iceConn->connect_to_you && + if (iceConn && iceConn->connect_to_you && iceConn->connect_to_you->auth_active) { authProc = _IcePoAuthProcs[(int) @@ -817,7 +827,7 @@ ProcessError ( True /* clean up */, False /* swap */, 0, NULL, NULL, NULL, NULL); } - else if (iceConn->protosetup_to_you && + else if (iceConn && iceConn->protosetup_to_you && iceConn->protosetup_to_you->auth_active) { _IcePoProtocol *protocol = _IceProtocols[ @@ -879,7 +889,7 @@ ProcessConnectionSetup ( IceReadCompleteMessage (iceConn, SIZEOF (iceConnectionSetupMsg), iceConnectionSetupMsg, message, pStart); - if (!IceValidIO (iceConn)) + if (iceConn && !IceValidIO (iceConn)) { IceDisposeCompleteMessage (iceConn, pStart); return (0); @@ -1133,7 +1143,7 @@ ProcessAuthRequired ( IceReadCompleteMessage (iceConn, SIZEOF (iceAuthRequiredMsg), iceAuthRequiredMsg, message, authData); - if (!IceValidIO (iceConn)) + if (iceConn && !IceValidIO (iceConn)) { IceDisposeCompleteMessage (iceConn, authData); return (0); @@ -1148,7 +1158,7 @@ ProcessAuthRequired ( message->authDataLength + SIZEOF (iceAuthRequiredMsg), authData, iceConn->connect_to_you ? IceFatalToConnection : IceFatalToProtocol); - if (iceConn->connect_to_you) + if (iceConn && iceConn->connect_to_you) { if ((int) message->authIndex >= _IceAuthCount) { @@ -1177,7 +1187,7 @@ ProcessAuthRequired ( iceConn->connect_to_you->auth_active = 1; } } - else if (iceConn->protosetup_to_you) + else if (iceConn && iceConn->protosetup_to_you) { if ((int) message->authIndex >= iceConn->protosetup_to_you->my_auth_count) @@ -1238,12 +1248,12 @@ ProcessAuthRequired ( replyWait->sequence_of_request = iceConn->send_sequence; replyWait->minor_opcode_of_request = ICE_AuthReply; - if (iceConn->connect_to_you) + if (iceConn && iceConn->connect_to_you) { iceConn->connect_to_you->my_auth_state = authState; iceConn->connect_to_you->my_auth_index = message->authIndex; } - else if (iceConn->protosetup_to_you) + else if (iceConn && iceConn->protosetup_to_you) { iceConn->protosetup_to_you->my_auth_state = authState; iceConn->protosetup_to_you->my_auth_index = realAuthIndex; @@ -1273,7 +1283,7 @@ ProcessAuthRequired ( returnErrorString = NULL; free (errorString); - if (iceConn->connect_to_you) + if (iceConn && iceConn->connect_to_you) { _IceConnectionError *errorReply = &(((_IceReply *) (replyWait->reply))->connection_error); @@ -1322,7 +1332,7 @@ ProcessAuthReply ( IceReadCompleteMessage (iceConn, SIZEOF (iceAuthReplyMsg), iceAuthReplyMsg, message, replyData); - if (!IceValidIO (iceConn)) + if (iceConn && !IceValidIO (iceConn)) { IceDisposeCompleteMessage (iceConn, replyData); return (0); @@ -1339,7 +1349,7 @@ ProcessAuthReply ( replyDataLen = message->authDataLength; - if (iceConn->connect_to_me) + if (iceConn && iceConn->connect_to_me) { IcePaAuthProc authProc = _IcePaAuthProcs[(int) (iceConn->connect_to_me->my_auth_index)]; @@ -1409,7 +1419,7 @@ ProcessAuthReply ( iceConn->connect_to_me = NULL; } } - else if (iceConn->protosetup_to_me) + else if (iceConn && iceConn->protosetup_to_me) { _IcePaProtocol *myProtocol = _IceProtocols[iceConn->protosetup_to_me-> my_opcode - 1].accept_client; @@ -1621,7 +1631,7 @@ ProcessAuthNextPhase ( IceReadCompleteMessage (iceConn, SIZEOF (iceAuthNextPhaseMsg), iceAuthNextPhaseMsg, message, authData); - if (!IceValidIO (iceConn)) + if (iceConn && !IceValidIO (iceConn)) { IceDisposeCompleteMessage (iceConn, authData); return (0); @@ -1636,14 +1646,14 @@ ProcessAuthNextPhase ( message->authDataLength + SIZEOF (iceAuthNextPhaseMsg), authData, iceConn->connect_to_you ? IceFatalToConnection : IceFatalToProtocol); - if (iceConn->connect_to_you) + if (iceConn && iceConn->connect_to_you) { authProc = _IcePoAuthProcs[(int) (iceConn->connect_to_you->my_auth_index)]; authState = &iceConn->connect_to_you->my_auth_state; } - else if (iceConn->protosetup_to_you) + else if (iceConn && iceConn->protosetup_to_you) { _IcePoProtocol *myProtocol = _IceProtocols[iceConn->protosetup_to_you->my_opcode - 1].orig_client; @@ -1700,7 +1710,7 @@ ProcessAuthNextPhase ( returnErrorString = NULL; free (errorString); - if (iceConn->connect_to_you) + if (iceConn && iceConn->connect_to_you) { _IceConnectionError *errorReply = &(((_IceReply *) (replyWait->reply))->connection_error); @@ -1727,7 +1737,7 @@ ProcessAuthNextPhase ( } - + static Bool ProcessConnectionReply ( IceConn iceConn, @@ -1748,7 +1758,7 @@ ProcessConnectionReply ( IceReadCompleteMessage (iceConn, SIZEOF (iceConnectionReplyMsg), iceConnectionReplyMsg, message, pStart); - if (!IceValidIO (iceConn)) + if (iceConn && !IceValidIO (iceConn)) { IceDisposeCompleteMessage (iceConn, pStart); return (0); @@ -1770,7 +1780,7 @@ ProcessConnectionReply ( pData = pStart; - if (iceConn->connect_to_you) + if (iceConn && iceConn->connect_to_you) { if (iceConn->connect_to_you->auth_active) { @@ -1829,7 +1839,6 @@ ProcessConnectionReply ( } - static int ProcessProtocolSetup ( IceConn iceConn, @@ -2247,7 +2256,7 @@ ProcessProtocolReply ( IceReadCompleteMessage (iceConn, SIZEOF (iceProtocolReplyMsg), iceProtocolReplyMsg, message, pStart); - if (!IceValidIO (iceConn)) + if (iceConn && !IceValidIO (iceConn)) { IceDisposeCompleteMessage (iceConn, pStart); return (0); @@ -2269,7 +2278,7 @@ ProcessProtocolReply ( pData = pStart; - if (iceConn->protosetup_to_you) + if (iceConn && iceConn->protosetup_to_you) { if (iceConn->protosetup_to_you->auth_active) { @@ -2330,7 +2339,7 @@ ProcessProtocolReply ( } - + static int ProcessPing ( IceConn iceConn, diff --git a/src/protosetup.c b/src/protosetup.c index fc6010a..cfd0ea0 100644 --- a/src/protosetup.c +++ b/src/protosetup.c @@ -57,6 +57,7 @@ IceProtocolSetup ( unsigned long setup_sequence; IceReplyWaitInfo replyWait; _IceReply reply; + IceProcessMessagesStatus msgStatus; IcePoVersionRec *versionRec = NULL; int authCount; int *authIndices; @@ -193,8 +194,17 @@ IceProtocolSetup ( while (!gotReply && !ioErrorOccured) { - ioErrorOccured = (IceProcessMessages ( - iceConn, &replyWait, &gotReply) == IceProcessMessagesIOError); + msgStatus = IceProcessMessages ( iceConn, &replyWait, &gotReply); + if (msgStatus == IceProcessMessagesConnectionClosed) + { + iceConn == NULL; + strncpy (errorStringRet, + "Connection Closure occured doing Protocol Setup on connection", + errorLength); + + return (IceProtocolSetupFailure); + } + ioErrorOccured = (msgStatus == IceProcessMessagesIOError); if (ioErrorOccured) { -- 1.7.1