Commit 151b33e8 authored by Jean-Paul Saman's avatar Jean-Paul Saman

Fix segmentation fault in modules/control/telnet.c introduced in rev 18519

parent b728ff1b
...@@ -219,9 +219,9 @@ static void Close( vlc_object_t *p_this ) ...@@ -219,9 +219,9 @@ static void Close( vlc_object_t *p_this )
for( i = 0; i < p_sys->i_clients; i++ ) for( i = 0; i < p_sys->i_clients; i++ )
{ {
telnet_client_t *cl = p_sys->clients[i]; telnet_client_t *cl = p_sys->clients[i];
net_Close( cl->fd ); net_Close( cl->fd );
free( cl ); free( cl );
p_sys->clients[i] = NULL;
} }
if( p_sys->clients != NULL ) free( p_sys->clients ); if( p_sys->clients != NULL ) free( p_sys->clients );
...@@ -253,8 +253,7 @@ static void Run( intf_thread_t *p_intf ) ...@@ -253,8 +253,7 @@ static void Run( intf_thread_t *p_intf )
fd = net_Accept( p_intf, p_sys->pi_fd, p_sys->i_clients > 0 ? 0 : -1 ); fd = net_Accept( p_intf, p_sys->pi_fd, p_sys->i_clients > 0 ? 0 : -1 );
if( fd > 0 ) if( fd > 0 )
{ {
char *psz_pwd = strdup( _("Password")); telnet_client_t *cl = NULL;
telnet_client_t *cl;
/* to be non blocking */ /* to be non blocking */
#if defined( WIN32 ) || defined( UNDER_CE ) #if defined( WIN32 ) || defined( UNDER_CE )
...@@ -266,15 +265,32 @@ static void Run( intf_thread_t *p_intf ) ...@@ -266,15 +265,32 @@ static void Run( intf_thread_t *p_intf )
fcntl( fd, F_SETFL, O_NONBLOCK ); fcntl( fd, F_SETFL, O_NONBLOCK );
#endif #endif
cl = malloc( sizeof( telnet_client_t )); cl = malloc( sizeof( telnet_client_t ));
cl->i_tel_cmd = 0; if( cl )
cl->fd = fd; {
cl->buffer_write = NULL; char *psz_pwd = strdup( _("Password") );
cl->p_buffer_write = cl->buffer_write; char *psz_tmp = NULL;
realloc( psz_pwd, strlen(psz_pwd)+ 5 + 1 ); size_t ctrl_len = strlen( ": \xff\xfb\x01" );
strncat( psz_pwd, ": \xff\xfb\x01", 5); size_t passwd_len = strlen( psz_pwd );
Write_message( cl, NULL, psz_pwd, WRITE_MODE_PWD );
free( psz_pwd ); memset( cl, 0, sizeof(telnet_client_t) );
TAB_APPEND( p_sys->i_clients, p_sys->clients, cl ); cl->i_tel_cmd = 0;
cl->fd = fd;
cl->buffer_write = NULL;
cl->p_buffer_write = cl->buffer_write;
psz_tmp = malloc( passwd_len + ctrl_len + 1 );
if( !psz_tmp )
{
free( psz_pwd );
continue;
}
memset( psz_tmp, 0, passwd_len + ctrl_len + 1 );
memcpy( psz_tmp, psz_pwd, passwd_len );
memcpy( psz_tmp + passwd_len, ": \xff\xfb\x01", ctrl_len );
Write_message( cl, NULL, psz_tmp, WRITE_MODE_PWD );
TAB_APPEND( p_sys->i_clients, p_sys->clients, cl );
free( psz_pwd );
free( psz_tmp );
}
} }
/* to do a proper select */ /* to do a proper select */
...@@ -285,7 +301,7 @@ static void Run( intf_thread_t *p_intf ) ...@@ -285,7 +301,7 @@ static void Run( intf_thread_t *p_intf )
{ {
telnet_client_t *cl = p_sys->clients[i]; telnet_client_t *cl = p_sys->clients[i];
if( cl->i_mode == WRITE_MODE_PWD || cl->i_mode == WRITE_MODE_CMD ) if( (cl->i_mode == WRITE_MODE_PWD) || (cl->i_mode == WRITE_MODE_CMD) )
{ {
FD_SET( cl->fd , &fds_write ); FD_SET( cl->fd , &fds_write );
} }
...@@ -300,7 +316,7 @@ static void Run( intf_thread_t *p_intf ) ...@@ -300,7 +316,7 @@ static void Run( intf_thread_t *p_intf )
timeout.tv_usec = 500*1000; timeout.tv_usec = 500*1000;
i_ret = select( i_handle_max + 1, &fds_read, &fds_write, 0, &timeout ); i_ret = select( i_handle_max + 1, &fds_read, &fds_write, 0, &timeout );
if( i_ret == -1 && errno != EINTR ) if( (i_ret == -1) && (errno != EINTR) )
{ {
msg_Warn( p_intf, "cannot select sockets" ); msg_Warn( p_intf, "cannot select sockets" );
msleep( 1000 ); msleep( 1000 );
...@@ -316,10 +332,10 @@ static void Run( intf_thread_t *p_intf ) ...@@ -316,10 +332,10 @@ static void Run( intf_thread_t *p_intf )
{ {
telnet_client_t *cl = p_sys->clients[i]; telnet_client_t *cl = p_sys->clients[i];
if( FD_ISSET(cl->fd , &fds_write) && cl->i_buffer_write > 0 ) if( FD_ISSET(cl->fd , &fds_write) && (cl->i_buffer_write > 0) )
{ {
i_len = send( cl->fd , cl->p_buffer_write , i_len = send( cl->fd, cl->p_buffer_write ,
cl->i_buffer_write , 0 ); cl->i_buffer_write, 0 );
if( i_len > 0 ) if( i_len > 0 )
{ {
cl->p_buffer_write += i_len; cl->p_buffer_write += i_len;
...@@ -331,8 +347,8 @@ static void Run( intf_thread_t *p_intf ) ...@@ -331,8 +347,8 @@ static void Run( intf_thread_t *p_intf )
int i_end = 0; int i_end = 0;
int i_recv; int i_recv;
while( (i_recv=recv( cl->fd, cl->p_buffer_read, 1, 0 )) > 0 && while( ((i_recv=recv( cl->fd, cl->p_buffer_read, 1, 0 )) > 0) &&
cl->p_buffer_read - cl->buffer_read < 999 ) ((cl->p_buffer_read - cl->buffer_read) < 999) )
{ {
switch( cl->i_tel_cmd ) switch( cl->i_tel_cmd )
{ {
...@@ -377,13 +393,13 @@ static void Run( intf_thread_t *p_intf ) ...@@ -377,13 +393,13 @@ static void Run( intf_thread_t *p_intf )
if( i_end != 0 ) break; if( i_end != 0 ) break;
} }
if( cl->p_buffer_read - cl->buffer_read == 999 ) if( (cl->p_buffer_read - cl->buffer_read) == 999 )
{ {
Write_message( cl, NULL, _( "Line too long\r\n" ), Write_message( cl, NULL, _( "Line too long\r\n" ),
cl->i_mode + 2 ); cl->i_mode + 2 );
} }
if (i_recv == 0) if( i_recv == 0 )
{ {
net_Close( cl->fd ); net_Close( cl->fd );
TAB_REMOVE( p_intf->p_sys->i_clients , TAB_REMOVE( p_intf->p_sys->i_clients ,
...@@ -398,24 +414,35 @@ static void Run( intf_thread_t *p_intf ) ...@@ -398,24 +414,35 @@ static void Run( intf_thread_t *p_intf )
{ {
telnet_client_t *cl = p_sys->clients[i]; telnet_client_t *cl = p_sys->clients[i];
if( cl->i_mode >= WRITE_MODE_PWD && cl->i_buffer_write == 0 ) if( (cl->i_mode >= WRITE_MODE_PWD) && (cl->i_buffer_write == 0) )
{ {
// we have finished to send // we have finished to send
cl->i_mode -= 2; // corresponding READ MODE cl->i_mode -= 2; // corresponding READ MODE
} }
else if( cl->i_mode == READ_MODE_PWD && else if( (cl->i_mode == READ_MODE_PWD) &&
*cl->p_buffer_read == '\n' ) (*cl->p_buffer_read == '\n') )
{ {
*cl->p_buffer_read = '\0'; *cl->p_buffer_read = '\0';
if( strcmp( psz_password, cl->buffer_read ) == 0 ) if( strcmp( psz_password, cl->buffer_read ) == 0 )
{ {
char *psz_tmp=strdup( _("Welcome, Master") ); char *psz_welcome = strdup( _("Welcome, Master") );
realloc(psz_tmp, 5 + strlen(psz_tmp) + 4 + 1); char *psz_tmp = NULL;
memmove( psz_tmp + 5, psz_tmp, strlen(psz_tmp) + 1 ); size_t welcome_len = strlen( psz_welcome );
memcpy( psz_tmp, "\xff\xfc\x01\r\n",5); size_t ctrl_len = strlen("\xff\xfc\x01\r\n");
strncat( psz_tmp, "\r\n> ", 4 );
psz_tmp = malloc( welcome_len + ctrl_len + 4 + 1 );
if( !psz_tmp )
{
free( psz_welcome );
continue;
}
memset( psz_tmp, 0, welcome_len + ctrl_len + 4 + 1 );
memcpy( psz_tmp, "\xff\xfc\x01\r\n", ctrl_len );
memcpy( psz_tmp + ctrl_len, psz_welcome, welcome_len );
memcpy( psz_tmp + ctrl_len + welcome_len, "\r\n> ", 4 );
Write_message( cl, NULL, psz_tmp, WRITE_MODE_CMD ); Write_message( cl, NULL, psz_tmp, WRITE_MODE_CMD );
free( psz_tmp); free( psz_welcome );
free( psz_tmp );
} }
else else
{ {
...@@ -425,8 +452,8 @@ static void Run( intf_thread_t *p_intf ) ...@@ -425,8 +452,8 @@ static void Run( intf_thread_t *p_intf )
WRITE_MODE_PWD ); WRITE_MODE_PWD );
} }
} }
else if( cl->i_mode == READ_MODE_CMD && else if( (cl->i_mode == READ_MODE_CMD) &&
*cl->p_buffer_read == '\n' ) (*cl->p_buffer_read == '\n') )
{ {
/* ok, here is a command line */ /* ok, here is a command line */
if( !strncmp( cl->buffer_read, "logout", 6 ) || if( !strncmp( cl->buffer_read, "logout", 6 ) ||
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment