confdb: Properly check result of object_find_create

in confdb_object_iter result of object_find_create is now properly
checked. object_find_create can return -1 if object doesn't exists.
Without this check, incorrect handle (memory garbage) was directly
passed to object_find_next.

Signed-off-by: Jan Friesse <jfriesse@redhat.com>
Reviewed-by: Angus Salkeld <asalkeld@redhat.com>

diff --git a/services/confdb.c b/services/confdb.c
index b57a0412e0c20d3144443fddc20ecf224d7e0e8c..64def8a0e432b63b2ce4b51fbc0739591c12797a 100644 (file)
--- a/services/confdb.c
+++ b/services/confdb.c
@@ -708,9 +708,12 @@ static void message_handler_req_lib_confdb_object_iter (void *conn,
        int ret = CS_OK;
 
        if (!req_lib_confdb_object_iter->find_handle) {
-               api->object_find_create(req_lib_confdb_object_iter->parent_object_handle,
+               if (api->object_find_create(req_lib_confdb_object_iter->parent_object_handle,
                                        NULL, 0,
-                                       m2h(&res_lib_confdb_object_iter.find_handle));
+                                       m2h(&res_lib_confdb_object_iter.find_handle)) == -1) {
+                       ret = CS_ERR_ACCESS;
+                       goto response_send;
+               }
        }
        else
                res_lib_confdb_object_iter.find_handle = req_lib_confdb_object_iter->find_handle;
@@ -721,12 +724,17 @@ static void message_handler_req_lib_confdb_object_iter (void *conn,
                api->object_find_destroy(res_lib_confdb_object_iter.find_handle);
        }
        else {
-               api->object_name_get(res_lib_confdb_object_iter.object_handle,
+               if (api->object_name_get(res_lib_confdb_object_iter.object_handle,
                                     (char *)res_lib_confdb_object_iter.object_name.value,
-                                    &object_name_len);
-
-               res_lib_confdb_object_iter.object_name.length = object_name_len;
+                                    &object_name_len) == -1) {
+                       ret = CS_ERR_ACCESS;
+                       goto response_send;
+               } else {
+                       res_lib_confdb_object_iter.object_name.length = object_name_len;
+               }
        }
+
+response_send:
        res_lib_confdb_object_iter.header.size = sizeof(res_lib_confdb_object_iter);
        res_lib_confdb_object_iter.header.id = MESSAGE_RES_CONFDB_OBJECT_ITER;
        res_lib_confdb_object_iter.header.error = ret;
@@ -743,10 +751,13 @@ static void message_handler_req_lib_confdb_object_find (void *conn,
        int ret = CS_OK;
 
        if (!req_lib_confdb_object_find->find_handle) {
-               api->object_find_create(req_lib_confdb_object_find->parent_object_handle,
+               if (api->object_find_create(req_lib_confdb_object_find->parent_object_handle,
                                        req_lib_confdb_object_find->object_name.value,
                                        req_lib_confdb_object_find->object_name.length,
-                                       m2h(&res_lib_confdb_object_find.find_handle));
+                                       m2h(&res_lib_confdb_object_find.find_handle)) == -1) {
+                       ret = CS_ERR_ACCESS;
+                       goto response_send;
+               }
        }
        else
                res_lib_confdb_object_find.find_handle = req_lib_confdb_object_find->find_handle;
@@ -757,6 +768,8 @@ static void message_handler_req_lib_confdb_object_find (void *conn,
                api->object_find_destroy(res_lib_confdb_object_find.find_handle);
        }
 
+
+response_send:
        res_lib_confdb_object_find.header.size = sizeof(res_lib_confdb_object_find);
        res_lib_confdb_object_find.header.id = MESSAGE_RES_CONFDB_OBJECT_FIND;
        res_lib_confdb_object_find.header.error = ret;