From b509fbde6a79fadd1eaab46a7bb1d08ce1b28090 Mon Sep 17 00:00:00 2001
From: Johan Hedberg <johan.hedberg@nokia.com>
Date: Thu, 3 May 2007 11:49:43 +0000
Subject: Fix append_and_grow_string for memory leaks and potential data
 corruption if memory allocation fails

---
 hcid/dbus-sdp.c | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/hcid/dbus-sdp.c b/hcid/dbus-sdp.c
index 3e68c7e0..5a79a7b4 100644
--- a/hcid/dbus-sdp.c
+++ b/hcid/dbus-sdp.c
@@ -222,26 +222,32 @@ static sdp_session_t *get_sdp_session(bdaddr_t *src, bdaddr_t *dst)
 
 static void append_and_grow_string(void *data, const char *str)
 {
-	sdp_buf_t *buff = (sdp_buf_t *) data;
+	sdp_buf_t *buff = data;
 	int len;
 
 	len = strlen(str);
 
 	if (!buff->data) {
-		buff->buf_size = DEFAULT_XML_BUF_SIZE;
-		buff->data = realloc(buff->data, buff->buf_size);
+		buff->data = malloc(DEFAULT_XML_BUF_SIZE);
 		if (!buff->data)
 			return;
+		buff->buf_size = DEFAULT_XML_BUF_SIZE;
 	}
 
 	/* Grow string */
 	while (buff->buf_size < (buff->data_size + len + 1)) {
+		void *tmp;
+		uint32_t new_size;
+
 		/* Grow buffer by a factor of 2 */
-		buff->buf_size = (buff->buf_size << 1);
+		new_size = (buff->buf_size << 1);
 
-		buff->data = realloc(buff->data, buff->buf_size);
-		if (!buff->data)
+		tmp = realloc(buff->data, new_size);
+		if (!tmp)
 			return;
+
+		buff->data = tmp;
+		buff->buf_size = new_size;
 	}
 
 	/* Include the NULL character */
-- 
cgit