Bug Summary

File:sm_process.c
Location:line 830, column 2
Description:Dereference of null pointer

Annotated Source Code

1/*
2
3Copyright 1993, 1998 The Open Group
4
5Permission to use, copy, modify, distribute, and sell this software and its
6documentation for any purpose is hereby granted without fee, provided that
7the above copyright notice appear in all copies and that both that
8copyright notice and this permission notice appear in supporting
9documentation.
10
11The above copyright notice and this permission notice shall be included in
12all copies or substantial portions of the Software.
13
14THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
15IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
17OPEN GROUP BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN
18AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
19CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
20
21Except as contained in this notice, the name of The Open Group shall not be
22used in advertising or otherwise to promote the sale, use or other dealings
23in this Software without prior written authorization from The Open Group.
24
25*/
26
27/*
28 * Author: Ralph Mor, X Consortium
29 */
30
31#ifdef HAVE_CONFIG_H1
32#include <config.h>
33#endif
34#include <X11/SM/SMlib.h>
35#include "SMlibint.h"
36
37
38/*
39 * Check for bad length
40 */
41
42#define CHECK_SIZE_MATCH(_iceConn, _majorOp, _minorOp, _expected_len, _actual_len, _severity)if ((((_actual_len) - 8) >> 3) != _expected_len) { _IceErrorBadLength
(_iceConn, _majorOp, _minorOp, _severity); return; }
\
43 if ((((_actual_len) - SIZEOF (iceMsg)8) >> 3) != _expected_len) \
44 { \
45 _IceErrorBadLength (_iceConn, _majorOp, _minorOp, _severity); \
46 return; \
47 }
48
49#define CHECK_AT_LEAST_SIZE(_iceConn, _majorOp, _minorOp, _expected_len, _actual_len, _severity)if ((((_actual_len) - 8) >> 3) > _expected_len) { _IceErrorBadLength
(_iceConn, _majorOp, _minorOp, _severity); return; }
\
50 if ((((_actual_len) - SIZEOF (iceMsg)8) >> 3) > _expected_len) \
51 { \
52 _IceErrorBadLength (_iceConn, _majorOp, _minorOp, _severity); \
53 return; \
54 }
55
56#define CHECK_COMPLETE_SIZE(_iceConn, _majorOp, _minorOp, _expected_len, _actual_len, _pStart, _severity)if (((((_actual_len) + ((8 - ((unsigned int) ((_actual_len)) %
8)) % 8)) - 8) >> 3) != _expected_len) { _IceErrorBadLength
(_iceConn, _majorOp, _minorOp, _severity); if ((char *) _pStart
< iceConn->inbuf || (char *) _pStart >= iceConn->
inbufmax) free ((char *) _pStart);; return; }
\
57 if (((PADDED_BYTES64((_actual_len))((_actual_len) + ((8 - ((unsigned int) ((_actual_len)) % 8)) %
8))
- SIZEOF (iceMsg)8) >> 3) \
58 != _expected_len) \
59 { \
60 _IceErrorBadLength (_iceConn, _majorOp, _minorOp, _severity); \
61 IceDisposeCompleteMessage (iceConn, _pStart)if ((char *) _pStart < iceConn->inbuf || (char *) _pStart
>= iceConn->inbufmax) free ((char *) _pStart);
; \
62 return; \
63 }
64
65
66
67void
68_SmcProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
69 unsigned long length, Boolint swap,
70 IceReplyWaitInfo *replyWait, Boolint *replyReadyRet)
71{
72 SmcConn smcConn = (SmcConn) clientData;
73
74 if (replyWait)
75 *replyReadyRet = False0;
76
77 if (!smcConn->client_id &&
78 opcode != SM_RegisterClientReply2 && opcode != SM_Error0)
79 {
80 _IceReadSkip (iceConn, length << 3);
81
82 _IceErrorBadState (iceConn, _SmcOpcode, opcode, IceFatalToProtocol1);
83 return;
84 }
85
86 switch (opcode)
87 {
88 case SM_Error0:
89 {
90 iceErrorMsg *pMsg;
91 char *pData;
92
93 CHECK_AT_LEAST_SIZE (iceConn, _SmcOpcode, opcode,if ((((16) - 8) >> 3) > length) { _IceErrorBadLength
(iceConn, _SmcOpcode, opcode, 1); return; }
94 length, SIZEOF (iceErrorMsg), IceFatalToProtocol)if ((((16) - 8) >> 3) > length) { _IceErrorBadLength
(iceConn, _SmcOpcode, opcode, 1); return; }
;
95
96 IceReadCompleteMessage (iceConn, SIZEOF (iceErrorMsg),{ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
16 - 8), iceConn->inbufptr); pMsg = (iceErrorMsg *) (iceConn
->inbuf); iceConn->inbufptr += (16 - 8); }; _bytes = (pMsg
->length << 3) - (16 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pData = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pData = (char *) malloc ((unsigned
) _bytes); if (pData) _IceRead (iceConn, _bytes, pData); else
_IceReadSkip (iceConn, _bytes); } }
97 iceErrorMsg, pMsg, pData){ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
16 - 8), iceConn->inbufptr); pMsg = (iceErrorMsg *) (iceConn
->inbuf); iceConn->inbufptr += (16 - 8); }; _bytes = (pMsg
->length << 3) - (16 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pData = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pData = (char *) malloc ((unsigned
) _bytes); if (pData) _IceRead (iceConn, _bytes, pData); else
_IceReadSkip (iceConn, _bytes); } }
;
98
99 if (!IceValidIO (iceConn)iceConn->io_ok)
100 {
101 IceDisposeCompleteMessage (iceConn, pData)if ((char *) pData < iceConn->inbuf || (char *) pData >=
iceConn->inbufmax) free ((char *) pData);
;
102 return;
103 }
104
105 if (swap)
106 {
107 pMsg->errorClass = lswaps (pMsg->errorClass)((((pMsg->errorClass) & 0xff) << 8) | (((pMsg->
errorClass) >> 8) & 0xff))
;
108 pMsg->offendingSequenceNum = lswapl (pMsg->offendingSequenceNum)((((pMsg->offendingSequenceNum) & 0xff) << 24) |
(((pMsg->offendingSequenceNum) & 0xff00) << 8) |
(((pMsg->offendingSequenceNum) & 0xff0000) >> 8
) | (((pMsg->offendingSequenceNum) >> 24) & 0xff
))
;
109 }
110
111 if (replyWait &&
112 replyWait->minor_opcode_of_request == SM_RegisterClient1 &&
113 pMsg->errorClass == IceBadValue0x8003 &&
114 pMsg->offendingMinorOpcode == SM_RegisterClient1 &&
115 pMsg->offendingSequenceNum == replyWait->sequence_of_request)
116 {
117 /*
118 * For Register Client, the previous ID was bad.
119 */
120
121 _SmcRegisterClientReply *reply =
122 (_SmcRegisterClientReply *) (replyWait->reply);
123
124 reply->status = 0;
125
126 *replyReadyRet = True1;
127 }
128 else
129 {
130 (*_SmcErrorHandler) (smcConn, swap,
131 pMsg->offendingMinorOpcode,
132 pMsg->offendingSequenceNum,
133 pMsg->errorClass, pMsg->severity,
134 (SmPointer) pData);
135 }
136
137 IceDisposeCompleteMessage (iceConn, pData)if ((char *) pData < iceConn->inbuf || (char *) pData >=
iceConn->inbufmax) free ((char *) pData);
;
138 break;
139 }
140
141 case SM_RegisterClientReply2:
142
143 if (!replyWait ||
144 replyWait->minor_opcode_of_request != SM_RegisterClient1)
145 {
146 _IceReadSkip (iceConn, length << 3);
147
148 _IceErrorBadState (iceConn, _SmcOpcode,
149 SM_RegisterClientReply2, IceFatalToProtocol1);
150 }
151 else
152 {
153 smRegisterClientReplyMsg *pMsg;
154 char *pData, *pStart;
155 _SmcRegisterClientReply *reply =
156 (_SmcRegisterClientReply *) (replyWait->reply);
157
158#if 0 /* No-op */
159 CHECK_AT_LEAST_SIZE (iceConn, _SmcOpcode, opcode,if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmcOpcode, opcode, 1); return; }
160 length, SIZEOF (smRegisterClientReplyMsg), IceFatalToProtocol)if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmcOpcode, opcode, 1); return; }
;
161#endif
162
163 IceReadCompleteMessage (iceConn, SIZEOF (smRegisterClientReplyMsg),{ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smRegisterClientReplyMsg
*) (iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
164 smRegisterClientReplyMsg, pMsg, pStart){ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smRegisterClientReplyMsg
*) (iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
;
165
166 if (!IceValidIO (iceConn)iceConn->io_ok)
167 {
168 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
169 return;
170 }
171
172 pData = pStart;
173
174 SKIP_ARRAY8 (pData, swap){ CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if (
swap) _len = ((((_len) & 0xff) << 24) | (((_len) &
0xff00) << 8) | (((_len) & 0xff0000) >> 8) |
(((_len) >> 24) & 0xff)); }; pData += _len + ((8 -
((unsigned int) (4 + _len) % 8)) % 8); }
; /* client id */
175
176 CHECK_COMPLETE_SIZE (iceConn, _SmcOpcode, opcode,if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmcOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
177 length, pData - pStart + SIZEOF (smRegisterClientReplyMsg),if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmcOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
178 pStart, IceFatalToProtocol)if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmcOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
;
179
180 pData = pStart;
181
182 EXTRACT_ARRAY8_AS_STRING (pData, swap, reply->client_id){ CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if (
swap) _len = ((((_len) & 0xff) << 24) | (((_len) &
0xff00) << 8) | (((_len) & 0xff0000) >> 8) |
(((_len) >> 24) & 0xff)); }; reply->client_id =
malloc (_len + 1); memcpy (reply->client_id, pData, _len)
; reply->client_id[_len] = '\0'; pData += _len + ((8 - ((unsigned
int) (4 + _len) % 8)) % 8); }
;
183
184 reply->status = 1;
185 *replyReadyRet = True1;
186
187 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
188 }
189 break;
190
191 case SM_SaveYourself3:
192 {
193 smSaveYourselfMsg *pMsg;
194 unsigned char errVal;
195 int errOffset = -1;
196
197 CHECK_SIZE_MATCH (iceConn, _SmcOpcode, opcode,if ((((16) - 8) >> 3) != length) { _IceErrorBadLength (
iceConn, _SmcOpcode, opcode, 1); return; }
198 length, SIZEOF (smSaveYourselfMsg),if ((((16) - 8) >> 3) != length) { _IceErrorBadLength (
iceConn, _SmcOpcode, opcode, 1); return; }
199 IceFatalToProtocol)if ((((16) - 8) >> 3) != length) { _IceErrorBadLength (
iceConn, _SmcOpcode, opcode, 1); return; }
;
200
201 IceReadMessageHeader (iceConn, SIZEOF (smSaveYourselfMsg),{ _IceRead (iceConn, (unsigned long) (16 - 8), iceConn->inbufptr
); pMsg = (smSaveYourselfMsg *) (iceConn->inbuf); iceConn->
inbufptr += (16 - 8); }
202 smSaveYourselfMsg, pMsg){ _IceRead (iceConn, (unsigned long) (16 - 8), iceConn->inbufptr
); pMsg = (smSaveYourselfMsg *) (iceConn->inbuf); iceConn->
inbufptr += (16 - 8); }
;
203
204 if (!IceValidIO (iceConn)iceConn->io_ok)
205 {
206 return;
207 }
208
209 if (pMsg->saveType != SmSaveGlobal0 &&
210 pMsg->saveType != SmSaveLocal1 &&
211 pMsg->saveType != SmSaveBoth2)
212 {
213 errVal = pMsg->saveType;
214 errOffset = 8;
215 }
216 else if (pMsg->shutdown != 1 && pMsg->shutdown != 0)
217 {
218 errVal = pMsg->shutdown;
219 errOffset = 9;
220 }
221 else if (pMsg->interactStyle != SmInteractStyleNone0 &&
222 pMsg->interactStyle != SmInteractStyleErrors1 &&
223 pMsg->interactStyle != SmInteractStyleAny2)
224 {
225 errVal = pMsg->interactStyle;
226 errOffset = 10;
227 }
228 else if (pMsg->fast != 1 && pMsg->fast != 0)
229 {
230 errVal = pMsg->fast;
231 errOffset = 11;
232 }
233
234 if (errOffset >= 0)
235 {
236 _IceErrorBadValue (iceConn, _SmcOpcode,
237 SM_SaveYourself3, errOffset, 1, (IcePointer) &errVal);
238 }
239 else
240 {
241 (*smcConn->callbacks.save_yourself.callback) (smcConn,
242 smcConn->callbacks.save_yourself.client_data,
243 pMsg->saveType, pMsg->shutdown,
244 pMsg->interactStyle, pMsg->fast);
245
246 smcConn->save_yourself_in_progress = True1;
247
248 if (pMsg->shutdown)
249 smcConn->shutdown_in_progress = True1;
250 }
251 break;
252 }
253
254 case SM_SaveYourselfPhase217:
255
256 if (!smcConn->phase2_wait)
257 {
258 _IceErrorBadState (iceConn, _SmcOpcode,
259 SM_SaveYourselfPhase217, IceCanContinue0);
260 }
261 else
262 {
263 CHECK_SIZE_MATCH (iceConn, _SmcOpcode, opcode,if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
264 length, SIZEOF (smSaveYourselfPhase2Msg),if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
265 IceFatalToProtocol)if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
;
266
267 (*smcConn->phase2_wait->phase2_proc) (smcConn,
268 smcConn->phase2_wait->client_data);
269
270 free (smcConn->phase2_wait);
271 smcConn->phase2_wait = NULL((void*)0);
272 }
273 break;
274
275 case SM_Interact6:
276
277 if (!smcConn->interact_waits)
278 {
279 _IceErrorBadState (iceConn, _SmcOpcode,
280 SM_Interact6, IceCanContinue0);
281 }
282 else
283 {
284 _SmcInteractWait *next = smcConn->interact_waits->next;
285
286 CHECK_SIZE_MATCH (iceConn, _SmcOpcode, opcode,if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
287 length, SIZEOF (smInteractMsg),if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
288 IceFatalToProtocol)if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
;
289
290 (*smcConn->interact_waits->interact_proc) (smcConn,
291 smcConn->interact_waits->client_data);
292
293 free (smcConn->interact_waits);
294 smcConn->interact_waits = next;
295 }
296 break;
297
298 case SM_SaveComplete18:
299
300 if (!smcConn->save_yourself_in_progress)
301 {
302 _IceErrorBadState (iceConn, _SmcOpcode,
303 SM_SaveComplete18, IceCanContinue0);
304 }
305 else
306 {
307 CHECK_SIZE_MATCH (iceConn, _SmcOpcode, opcode,if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
308 length, SIZEOF (smSaveCompleteMsg),if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
309 IceFatalToProtocol)if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
;
310
311 smcConn->save_yourself_in_progress = False0;
312
313 (*smcConn->callbacks.save_complete.callback) (smcConn,
314 smcConn->callbacks.save_complete.client_data);
315 }
316 break;
317
318 case SM_Die9:
319
320 CHECK_SIZE_MATCH (iceConn, _SmcOpcode, opcode,if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
321 length, SIZEOF (smDieMsg),if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
322 IceFatalToProtocol)if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
;
323
324 (*smcConn->callbacks.die.callback) (smcConn,
325 smcConn->callbacks.die.client_data);
326 break;
327
328 case SM_ShutdownCancelled10:
329
330 if (!smcConn->shutdown_in_progress)
331 {
332 _IceErrorBadState (iceConn, _SmcOpcode,
333 SM_ShutdownCancelled10, IceCanContinue0);
334 }
335 else
336 {
337 CHECK_SIZE_MATCH (iceConn, _SmcOpcode, opcode,if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
338 length, SIZEOF (smShutdownCancelledMsg),if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
339 IceFatalToProtocol)if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmcOpcode, opcode, 1); return; }
;
340
341 smcConn->shutdown_in_progress = False0;
342
343 (*smcConn->callbacks.shutdown_cancelled.callback) (smcConn,
344 smcConn->callbacks.shutdown_cancelled.client_data);
345 }
346 break;
347
348 case SM_PropertiesReply15:
349
350 if (!smcConn->prop_reply_waits)
351 {
352 _IceReadSkip (iceConn, length << 3);
353
354 _IceErrorBadState (iceConn, _SmcOpcode,
355 SM_PropertiesReply15, IceCanContinue0);
356 }
357 else
358 {
359 smPropertiesReplyMsg *pMsg;
360 char *pData, *pStart;
361 int numProps;
362 SmProp **props = NULL((void*)0);
363 _SmcPropReplyWait *next;
364
365#if 0 /* No-op */
366 CHECK_AT_LEAST_SIZE (iceConn, _SmcOpcode, opcode,if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmcOpcode, opcode, 1); return; }
367 length, SIZEOF (smPropertiesReplyMsg), IceFatalToProtocol)if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmcOpcode, opcode, 1); return; }
;
368#endif
369
370 IceReadCompleteMessage (iceConn, SIZEOF (smPropertiesReplyMsg),{ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smPropertiesReplyMsg *
) (iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
371 smPropertiesReplyMsg, pMsg, pStart){ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smPropertiesReplyMsg *
) (iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
;
372
373 if (!IceValidIO (iceConn)iceConn->io_ok)
374 {
375 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
376 return;
377 }
378
379 pData = pStart;
380
381 SKIP_LISTOF_PROPERTY (pData, swap){ int _i, _j; CARD32 _count; { _count = *((CARD32 *) pData); pData
+= 4; if (swap) _count = ((((_count) & 0xff) << 24
) | (((_count) & 0xff00) << 8) | (((_count) & 0xff0000
) >> 8) | (((_count) >> 24) & 0xff)); }; pData
+= 4; for (_i = 0; _i < _count; _i++) { CARD32 _numvals; {
CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if (swap
) _len = ((((_len) & 0xff) << 24) | (((_len) & 0xff00
) << 8) | (((_len) & 0xff0000) >> 8) | (((_len
) >> 24) & 0xff)); }; pData += _len + ((8 - ((unsigned
int) (4 + _len) % 8)) % 8); }; { CARD32 _len; { _len = *((CARD32
*) pData); pData += 4; if (swap) _len = ((((_len) & 0xff
) << 24) | (((_len) & 0xff00) << 8) | (((_len
) & 0xff0000) >> 8) | (((_len) >> 24) & 0xff
)); }; pData += _len + ((8 - ((unsigned int) (4 + _len) % 8))
% 8); }; { _numvals = *((CARD32 *) pData); pData += 4; if (swap
) _numvals = ((((_numvals) & 0xff) << 24) | (((_numvals
) & 0xff00) << 8) | (((_numvals) & 0xff0000) >>
8) | (((_numvals) >> 24) & 0xff)); }; pData += 4; for
(_j = 0; _j < _numvals; _j++) { CARD32 _len; { _len = *((
CARD32 *) pData); pData += 4; if (swap) _len = ((((_len) &
0xff) << 24) | (((_len) & 0xff00) << 8) | ((
(_len) & 0xff0000) >> 8) | (((_len) >> 24) &
0xff)); }; pData += _len + ((8 - ((unsigned int) (4 + _len) %
8)) % 8); }; } }
;
382
383 CHECK_COMPLETE_SIZE (iceConn, _SmcOpcode, opcode,if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmcOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
384 length, pData - pStart + SIZEOF (smPropertiesReplyMsg),if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmcOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
385 pStart, IceFatalToProtocol)if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmcOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
;
386
387 pData = pStart;
388
389 EXTRACT_LISTOF_PROPERTY (pData, swap, numProps, props){ int _i, _j; { numProps = *((CARD32 *) pData); pData += 4; if
(swap) numProps = ((((numProps) & 0xff) << 24) | (
((numProps) & 0xff00) << 8) | (((numProps) & 0xff0000
) >> 8) | (((numProps) >> 24) & 0xff)); }; pData
+= 4; props = malloc (numProps * sizeof (SmProp *)); for (_i
= 0; _i < numProps; _i++) { props[_i] = malloc (sizeof (SmProp
)); { CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if
(swap) _len = ((((_len) & 0xff) << 24) | (((_len) &
0xff00) << 8) | (((_len) & 0xff0000) >> 8) |
(((_len) >> 24) & 0xff)); }; props[_i]->name = malloc
(_len + 1); memcpy (props[_i]->name, pData, _len); props[
_i]->name[_len] = '\0'; pData += _len + ((8 - ((unsigned int
) (4 + _len) % 8)) % 8); }; { CARD32 _len; { _len = *((CARD32
*) pData); pData += 4; if (swap) _len = ((((_len) & 0xff
) << 24) | (((_len) & 0xff00) << 8) | (((_len
) & 0xff0000) >> 8) | (((_len) >> 24) & 0xff
)); }; props[_i]->type = malloc (_len + 1); memcpy (props[
_i]->type, pData, _len); props[_i]->type[_len] = '\0'; pData
+= _len + ((8 - ((unsigned int) (4 + _len) % 8)) % 8); }; { props
[_i]->num_vals = *((CARD32 *) pData); pData += 4; if (swap
) props[_i]->num_vals = ((((props[_i]->num_vals) & 0xff
) << 24) | (((props[_i]->num_vals) & 0xff00) <<
8) | (((props[_i]->num_vals) & 0xff0000) >> 8) |
(((props[_i]->num_vals) >> 24) & 0xff)); }; pData
+= 4; props[_i]->vals = malloc ( props[_i]->num_vals *
sizeof (SmPropValue)); for (_j = 0; _j < props[_i]->num_vals
; _j++) { char *_temp; { { props[_i]->vals[_j].length = *(
(CARD32 *) pData); pData += 4; if (swap) props[_i]->vals[_j
].length = ((((props[_i]->vals[_j].length) & 0xff) <<
24) | (((props[_i]->vals[_j].length) & 0xff00) <<
8) | (((props[_i]->vals[_j].length) & 0xff0000) >>
8) | (((props[_i]->vals[_j].length) >> 24) & 0xff
)); }; _temp = malloc (props[_i]->vals[_j].length + 1); memcpy
(_temp, pData, props[_i]->vals[_j].length); _temp[props[_i
]->vals[_j].length] = '\0'; pData += props[_i]->vals[_j
].length + ((8 - ((unsigned int) (4 + props[_i]->vals[_j].
length) % 8)) % 8); }; props[_i]->vals[_j].value = (SmPointer
) _temp; } } }
;
390
391 next = smcConn->prop_reply_waits->next;
392
393 (*smcConn->prop_reply_waits->prop_reply_proc) (smcConn,
394 smcConn->prop_reply_waits->client_data, numProps, props);
395
396 free (smcConn->prop_reply_waits);
397 smcConn->prop_reply_waits = next;
398
399 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
400 }
401 break;
402
403 default:
404 {
405 _IceErrorBadMinor (iceConn, _SmcOpcode, opcode, IceCanContinue0);
406 _IceReadSkip (iceConn, length << 3);
407 break;
408 }
409 }
410}
411
412
413
414void
415_SmsProcessMessage(IceConn iceConn, IcePointer clientData, int opcode,
416 unsigned long length, Boolint swap)
417{
418 SmsConn smsConn = (SmsConn) clientData;
419
420 if (!smsConn->client_id &&
1
Taking false branch
421 opcode != SM_RegisterClient1 && opcode != SM_Error0)
422 {
423 _IceReadSkip (iceConn, length << 3);
424
425 _IceErrorBadState (iceConn, _SmsOpcode, opcode, IceFatalToProtocol1);
426
427 return;
428 }
429
430 switch (opcode)
2
Control jumps to 'case 13:' at line 807
431 {
432 case SM_Error0:
433 {
434 iceErrorMsg *pMsg;
435 char *pData;
436
437 CHECK_AT_LEAST_SIZE (iceConn, _SmsOpcode, opcode,if ((((16) - 8) >> 3) > length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); return; }
438 length, SIZEOF (iceErrorMsg), IceFatalToProtocol)if ((((16) - 8) >> 3) > length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); return; }
;
439
440 IceReadCompleteMessage (iceConn, SIZEOF (iceErrorMsg),{ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
16 - 8), iceConn->inbufptr); pMsg = (iceErrorMsg *) (iceConn
->inbuf); iceConn->inbufptr += (16 - 8); }; _bytes = (pMsg
->length << 3) - (16 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pData = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pData = (char *) malloc ((unsigned
) _bytes); if (pData) _IceRead (iceConn, _bytes, pData); else
_IceReadSkip (iceConn, _bytes); } }
441 iceErrorMsg, pMsg, pData){ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
16 - 8), iceConn->inbufptr); pMsg = (iceErrorMsg *) (iceConn
->inbuf); iceConn->inbufptr += (16 - 8); }; _bytes = (pMsg
->length << 3) - (16 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pData = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pData = (char *) malloc ((unsigned
) _bytes); if (pData) _IceRead (iceConn, _bytes, pData); else
_IceReadSkip (iceConn, _bytes); } }
;
442
443 if (!IceValidIO (iceConn)iceConn->io_ok)
444 {
445 IceDisposeCompleteMessage (iceConn, pData)if ((char *) pData < iceConn->inbuf || (char *) pData >=
iceConn->inbufmax) free ((char *) pData);
;
446 return;
447 }
448
449 if (swap)
450 {
451 pMsg->errorClass = lswaps (pMsg->errorClass)((((pMsg->errorClass) & 0xff) << 8) | (((pMsg->
errorClass) >> 8) & 0xff))
;
452 pMsg->offendingSequenceNum = lswapl (pMsg->offendingSequenceNum)((((pMsg->offendingSequenceNum) & 0xff) << 24) |
(((pMsg->offendingSequenceNum) & 0xff00) << 8) |
(((pMsg->offendingSequenceNum) & 0xff0000) >> 8
) | (((pMsg->offendingSequenceNum) >> 24) & 0xff
))
;
453 }
454
455 (*_SmsErrorHandler) (smsConn, swap,
456 pMsg->offendingMinorOpcode,
457 pMsg->offendingSequenceNum,
458 pMsg->errorClass, pMsg->severity,
459 (SmPointer) pData);
460
461 IceDisposeCompleteMessage (iceConn, pData)if ((char *) pData < iceConn->inbuf || (char *) pData >=
iceConn->inbufmax) free ((char *) pData);
;
462 break;
463 }
464
465 case SM_RegisterClient1:
466 {
467 smRegisterClientMsg *pMsg;
468 char *pData, *pStart;
469 char *previousId;
470 int idLen;
471
472#if 0 /* No-op */
473 CHECK_AT_LEAST_SIZE (iceConn, _SmsOpcode, opcode,if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
474 length, SIZEOF (smRegisterClientMsg), IceFatalToProtocol)if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
;
475#endif
476
477 IceReadCompleteMessage (iceConn, SIZEOF (smRegisterClientMsg),{ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smRegisterClientMsg *)
(iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
478 smRegisterClientMsg, pMsg, pStart){ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smRegisterClientMsg *)
(iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
;
479
480 if (!IceValidIO (iceConn)iceConn->io_ok)
481 {
482 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
483 return;
484 }
485
486 pData = pStart;
487
488 SKIP_ARRAY8 (pData, swap){ CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if (
swap) _len = ((((_len) & 0xff) << 24) | (((_len) &
0xff00) << 8) | (((_len) & 0xff0000) >> 8) |
(((_len) >> 24) & 0xff)); }; pData += _len + ((8 -
((unsigned int) (4 + _len) % 8)) % 8); }
; /* previous id */
489
490 CHECK_COMPLETE_SIZE (iceConn, _SmsOpcode, opcode,if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
491 length, pData - pStart + SIZEOF (smRegisterClientMsg),if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
492 pStart, IceFatalToProtocol)if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
;
493
494 pData = pStart;
495
496 EXTRACT_ARRAY8 (pData, swap, idLen, previousId){ { idLen = *((CARD32 *) pData); pData += 4; if (swap) idLen =
((((idLen) & 0xff) << 24) | (((idLen) & 0xff00
) << 8) | (((idLen) & 0xff0000) >> 8) | (((idLen
) >> 24) & 0xff)); }; previousId = malloc (idLen + 1
); memcpy (previousId, pData, idLen); previousId[idLen] = '\0'
; pData += idLen + ((8 - ((unsigned int) (4 + idLen) % 8)) % 8
); }
;
497
498 if (*previousId == '\0')
499 {
500 free (previousId);
501 previousId = NULL((void*)0);
502 }
503
504 if (!(*smsConn->callbacks.register_client.callback) (smsConn,
505 smsConn->callbacks.register_client.manager_data, previousId))
506 {
507 /*
508 * The previoudId was bad. Generate BadValue error.
509 */
510
511 _IceErrorBadValue (smsConn->iceConn, _SmsOpcode, SM_RegisterClient1,
512 8, ARRAY8_BYTES (idLen)(4 + idLen + ((8 - ((unsigned int) (4 + idLen) % 8)) % 8)), (IcePointer) pStart);
513 }
514
515 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
516 break;
517 }
518
519 case SM_InteractRequest5:
520
521 if (!smsConn->save_yourself_in_progress ||
522 smsConn->interaction_allowed == SmInteractStyleNone0)
523 {
524 _IceErrorBadState (iceConn, _SmsOpcode,
525 SM_InteractRequest5, IceCanContinue0);
526 }
527 else
528 {
529 smInteractRequestMsg *pMsg;
530
531 CHECK_SIZE_MATCH (iceConn, _SmsOpcode, opcode,if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
532 length, SIZEOF (smInteractRequestMsg),if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
533 IceFatalToProtocol)if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
;
534
535 IceReadSimpleMessage (iceConn, smInteractRequestMsg, pMsg)pMsg = (smInteractRequestMsg *) (iceConn->inbuf);;
536
537 if (pMsg->dialogType != SmDialogNormal1 &&
538 pMsg->dialogType != SmDialogError0)
539 {
540 unsigned char errVal = pMsg->dialogType;
541
542 _IceErrorBadValue (iceConn, _SmsOpcode,
543 SM_InteractRequest5, 2, 1, (IcePointer) &errVal);
544 }
545 else if (pMsg->dialogType == SmDialogNormal1 &&
546 smsConn->interaction_allowed != SmInteractStyleAny2)
547 {
548 _IceErrorBadState (iceConn, _SmsOpcode,
549 SM_InteractRequest5, IceCanContinue0);
550 }
551 else
552 {
553 (*smsConn->callbacks.interact_request.callback) (smsConn,
554 smsConn->callbacks.interact_request.manager_data,
555 pMsg->dialogType);
556 }
557 }
558 break;
559
560 case SM_InteractDone7:
561
562 if (!smsConn->interact_in_progress)
563 {
564 _IceErrorBadState (iceConn, _SmsOpcode,
565 SM_InteractDone7, IceCanContinue0);
566 }
567 else
568 {
569 smInteractDoneMsg *pMsg;
570
571 CHECK_SIZE_MATCH (iceConn, _SmsOpcode, opcode,if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
572 length, SIZEOF (smInteractDoneMsg),if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
573 IceFatalToProtocol)if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
;
574
575 IceReadSimpleMessage (iceConn, smInteractDoneMsg, pMsg)pMsg = (smInteractDoneMsg *) (iceConn->inbuf);;
576
577 if (pMsg->cancelShutdown != 1 &&
578 pMsg->cancelShutdown != 0)
579 {
580 unsigned char errVal = pMsg->cancelShutdown;
581
582 _IceErrorBadValue (iceConn, _SmsOpcode,
583 SM_InteractDone7, 2, 1, (IcePointer) &errVal);
584 }
585 else if (pMsg->cancelShutdown && !smsConn->can_cancel_shutdown)
586 {
587 _IceErrorBadState (iceConn, _SmsOpcode,
588 SM_InteractDone7, IceCanContinue0);
589 }
590 else
591 {
592 smsConn->interact_in_progress = False0;
593
594 (*smsConn->callbacks.interact_done.callback) (smsConn,
595 smsConn->callbacks.interact_done.manager_data,
596 pMsg->cancelShutdown);
597 }
598 }
599 break;
600
601 case SM_SaveYourselfRequest4:
602 {
603 smSaveYourselfRequestMsg *pMsg;
604 unsigned char errVal;
605 int errOffset = -1;
606
607 CHECK_SIZE_MATCH (iceConn, _SmsOpcode, opcode,if ((((16) - 8) >> 3) != length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
608 length, SIZEOF (smSaveYourselfRequestMsg),if ((((16) - 8) >> 3) != length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
609 IceFatalToProtocol)if ((((16) - 8) >> 3) != length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
;
610
611 IceReadMessageHeader (iceConn, SIZEOF (smSaveYourselfRequestMsg),{ _IceRead (iceConn, (unsigned long) (16 - 8), iceConn->inbufptr
); pMsg = (smSaveYourselfRequestMsg *) (iceConn->inbuf); iceConn
->inbufptr += (16 - 8); }
612 smSaveYourselfRequestMsg, pMsg){ _IceRead (iceConn, (unsigned long) (16 - 8), iceConn->inbufptr
); pMsg = (smSaveYourselfRequestMsg *) (iceConn->inbuf); iceConn
->inbufptr += (16 - 8); }
;
613
614 if (!IceValidIO (iceConn)iceConn->io_ok)
615 {
616 IceDisposeCompleteMessage (iceConn, pMsg)if ((char *) pMsg < iceConn->inbuf || (char *) pMsg >=
iceConn->inbufmax) free ((char *) pMsg);
;
617 return;
618 }
619
620 if (pMsg->saveType != SmSaveGlobal0 &&
621 pMsg->saveType != SmSaveLocal1 &&
622 pMsg->saveType != SmSaveBoth2)
623 {
624 errVal = pMsg->saveType;
625 errOffset = 8;
626 }
627 else if (pMsg->shutdown != 1 && pMsg->shutdown != 0)
628 {
629 errVal = pMsg->shutdown;
630 errOffset = 9;
631 }
632 else if (pMsg->interactStyle != SmInteractStyleNone0 &&
633 pMsg->interactStyle != SmInteractStyleErrors1 &&
634 pMsg->interactStyle != SmInteractStyleAny2)
635 {
636 errVal = pMsg->interactStyle;
637 errOffset = 10;
638 }
639 else if (pMsg->fast != 1 && pMsg->fast != 0)
640 {
641 errVal = pMsg->fast;
642 errOffset = 11;
643 }
644 else if (pMsg->global != 1 && pMsg->global != 0)
645 {
646 errVal = pMsg->fast;
647 errOffset = 11;
648 }
649
650 if (errOffset >= 0)
651 {
652 _IceErrorBadValue (iceConn, _SmsOpcode,
653 SM_SaveYourselfRequest4, errOffset, 1, (IcePointer) &errVal);
654 }
655 else
656 {
657 (*smsConn->callbacks.save_yourself_request.callback) (smsConn,
658 smsConn->callbacks.save_yourself_request.manager_data,
659 pMsg->saveType, pMsg->shutdown, pMsg->interactStyle,
660 pMsg->fast, pMsg->global);
661 }
662 break;
663 }
664
665 case SM_SaveYourselfPhase2Request16:
666
667 if (!smsConn->save_yourself_in_progress)
668 {
669 _IceErrorBadState (iceConn, _SmsOpcode,
670 SM_SaveYourselfPhase2Request16, IceCanContinue0);
671 }
672 else
673 {
674 CHECK_SIZE_MATCH (iceConn, _SmsOpcode, opcode,if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
675 length, SIZEOF (smSaveYourselfPhase2RequestMsg),if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
676 IceFatalToProtocol)if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
;
677
678 (*smsConn->callbacks.save_yourself_phase2_request.callback) (
679 smsConn, smsConn->callbacks.
680 save_yourself_phase2_request.manager_data);
681 }
682 break;
683
684 case SM_SaveYourselfDone8:
685
686 if (!smsConn->save_yourself_in_progress)
687 {
688 _IceErrorBadState (iceConn, _SmsOpcode,
689 SM_SaveYourselfDone8, IceCanContinue0);
690 }
691 else
692 {
693 smSaveYourselfDoneMsg *pMsg;
694
695 CHECK_SIZE_MATCH (iceConn, _SmsOpcode, opcode,if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
696 length, SIZEOF (smSaveYourselfDoneMsg),if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
697 IceFatalToProtocol)if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
;
698
699 IceReadSimpleMessage (iceConn, smSaveYourselfDoneMsg, pMsg)pMsg = (smSaveYourselfDoneMsg *) (iceConn->inbuf);;
700
701 if (pMsg->success != 1 && pMsg->success != 0)
702 {
703 unsigned char errVal = pMsg->success;
704
705 _IceErrorBadValue (iceConn, _SmsOpcode,
706 SM_SaveYourselfDone8, 2, 1, (IcePointer) &errVal);
707 }
708 else
709 {
710 smsConn->save_yourself_in_progress = False0;
711 smsConn->interaction_allowed = SmInteractStyleNone0;
712
713 (*smsConn->callbacks.save_yourself_done.callback) (smsConn,
714 smsConn->callbacks.save_yourself_done.manager_data,
715 pMsg->success);
716 }
717 }
718 break;
719
720 case SM_CloseConnection11:
721 {
722 smCloseConnectionMsg *pMsg;
723 char *pData, *pStart;
724 int count, i;
725 char **reasonMsgs = NULL((void*)0);
726
727#if 0 /* No-op */
728 CHECK_AT_LEAST_SIZE (iceConn, _SmsOpcode, opcode,if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
729 length, SIZEOF (smCloseConnectionMsg), IceFatalToProtocol)if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
;
730#endif
731
732 IceReadCompleteMessage (iceConn, SIZEOF (smCloseConnectionMsg),{ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smCloseConnectionMsg *
) (iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
733 smCloseConnectionMsg, pMsg, pStart){ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smCloseConnectionMsg *
) (iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
;
734
735 if (!IceValidIO (iceConn)iceConn->io_ok)
736 {
737 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
738 return;
739 }
740
741 pData = pStart;
742
743 EXTRACT_CARD32 (pData, swap, count){ count = *((CARD32 *) pData); pData += 4; if (swap) count = (
(((count) & 0xff) << 24) | (((count) & 0xff00) <<
8) | (((count) & 0xff0000) >> 8) | (((count) >>
24) & 0xff)); }
;
744 pData += 4;
745
746 for (i = 0; i < count; i++)
747 SKIP_ARRAY8 (pData, swap){ CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if (
swap) _len = ((((_len) & 0xff) << 24) | (((_len) &
0xff00) << 8) | (((_len) & 0xff0000) >> 8) |
(((_len) >> 24) & 0xff)); }; pData += _len + ((8 -
((unsigned int) (4 + _len) % 8)) % 8); }
;
748
749 CHECK_COMPLETE_SIZE (iceConn, _SmsOpcode, opcode,if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
750 length, pData - pStart + SIZEOF (smCloseConnectionMsg),if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
751 pStart, IceFatalToProtocol)if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
;
752
753 pData = pStart + 8;
754
755 reasonMsgs = malloc (count * sizeof (char *));
756 for (i = 0; i < count; i++)
757 EXTRACT_ARRAY8_AS_STRING (pData, swap, reasonMsgs[i]){ CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if (
swap) _len = ((((_len) & 0xff) << 24) | (((_len) &
0xff00) << 8) | (((_len) & 0xff0000) >> 8) |
(((_len) >> 24) & 0xff)); }; reasonMsgs[i] = malloc
(_len + 1); memcpy (reasonMsgs[i], pData, _len); reasonMsgs[
i][_len] = '\0'; pData += _len + ((8 - ((unsigned int) (4 + _len
) % 8)) % 8); }
;
758
759 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
760
761 (*smsConn->callbacks.close_connection.callback) (smsConn,
762 smsConn->callbacks.close_connection.manager_data,
763 count, reasonMsgs);
764 break;
765 }
766
767 case SM_SetProperties12:
768 {
769 smSetPropertiesMsg *pMsg;
770 char *pData, *pStart;
771 SmProp **props = NULL((void*)0);
772 int numProps;
773
774#if 0 /* No-op */
775 CHECK_AT_LEAST_SIZE (iceConn, _SmsOpcode, opcode,if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
776 length, SIZEOF (smSetPropertiesMsg), IceFatalToProtocol)if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
;
777#endif
778
779 IceReadCompleteMessage (iceConn, SIZEOF (smSetPropertiesMsg),{ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smSetPropertiesMsg *) (
iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
780 smSetPropertiesMsg, pMsg, pStart){ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smSetPropertiesMsg *) (
iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
;
781
782 if (!IceValidIO (iceConn)iceConn->io_ok)
783 {
784 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
785 return;
786 }
787
788 pData = pStart;
789
790 SKIP_LISTOF_PROPERTY (pData, swap){ int _i, _j; CARD32 _count; { _count = *((CARD32 *) pData); pData
+= 4; if (swap) _count = ((((_count) & 0xff) << 24
) | (((_count) & 0xff00) << 8) | (((_count) & 0xff0000
) >> 8) | (((_count) >> 24) & 0xff)); }; pData
+= 4; for (_i = 0; _i < _count; _i++) { CARD32 _numvals; {
CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if (swap
) _len = ((((_len) & 0xff) << 24) | (((_len) & 0xff00
) << 8) | (((_len) & 0xff0000) >> 8) | (((_len
) >> 24) & 0xff)); }; pData += _len + ((8 - ((unsigned
int) (4 + _len) % 8)) % 8); }; { CARD32 _len; { _len = *((CARD32
*) pData); pData += 4; if (swap) _len = ((((_len) & 0xff
) << 24) | (((_len) & 0xff00) << 8) | (((_len
) & 0xff0000) >> 8) | (((_len) >> 24) & 0xff
)); }; pData += _len + ((8 - ((unsigned int) (4 + _len) % 8))
% 8); }; { _numvals = *((CARD32 *) pData); pData += 4; if (swap
) _numvals = ((((_numvals) & 0xff) << 24) | (((_numvals
) & 0xff00) << 8) | (((_numvals) & 0xff0000) >>
8) | (((_numvals) >> 24) & 0xff)); }; pData += 4; for
(_j = 0; _j < _numvals; _j++) { CARD32 _len; { _len = *((
CARD32 *) pData); pData += 4; if (swap) _len = ((((_len) &
0xff) << 24) | (((_len) & 0xff00) << 8) | ((
(_len) & 0xff0000) >> 8) | (((_len) >> 24) &
0xff)); }; pData += _len + ((8 - ((unsigned int) (4 + _len) %
8)) % 8); }; } }
;
791
792 CHECK_COMPLETE_SIZE (iceConn, _SmsOpcode, opcode,if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
793 length, pData - pStart + SIZEOF (smSetPropertiesMsg),if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
794 pStart, IceFatalToProtocol)if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
;
795
796 pData = pStart;
797
798 EXTRACT_LISTOF_PROPERTY (pData, swap, numProps, props){ int _i, _j; { numProps = *((CARD32 *) pData); pData += 4; if
(swap) numProps = ((((numProps) & 0xff) << 24) | (
((numProps) & 0xff00) << 8) | (((numProps) & 0xff0000
) >> 8) | (((numProps) >> 24) & 0xff)); }; pData
+= 4; props = malloc (numProps * sizeof (SmProp *)); for (_i
= 0; _i < numProps; _i++) { props[_i] = malloc (sizeof (SmProp
)); { CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if
(swap) _len = ((((_len) & 0xff) << 24) | (((_len) &
0xff00) << 8) | (((_len) & 0xff0000) >> 8) |
(((_len) >> 24) & 0xff)); }; props[_i]->name = malloc
(_len + 1); memcpy (props[_i]->name, pData, _len); props[
_i]->name[_len] = '\0'; pData += _len + ((8 - ((unsigned int
) (4 + _len) % 8)) % 8); }; { CARD32 _len; { _len = *((CARD32
*) pData); pData += 4; if (swap) _len = ((((_len) & 0xff
) << 24) | (((_len) & 0xff00) << 8) | (((_len
) & 0xff0000) >> 8) | (((_len) >> 24) & 0xff
)); }; props[_i]->type = malloc (_len + 1); memcpy (props[
_i]->type, pData, _len); props[_i]->type[_len] = '\0'; pData
+= _len + ((8 - ((unsigned int) (4 + _len) % 8)) % 8); }; { props
[_i]->num_vals = *((CARD32 *) pData); pData += 4; if (swap
) props[_i]->num_vals = ((((props[_i]->num_vals) & 0xff
) << 24) | (((props[_i]->num_vals) & 0xff00) <<
8) | (((props[_i]->num_vals) & 0xff0000) >> 8) |
(((props[_i]->num_vals) >> 24) & 0xff)); }; pData
+= 4; props[_i]->vals = malloc ( props[_i]->num_vals *
sizeof (SmPropValue)); for (_j = 0; _j < props[_i]->num_vals
; _j++) { char *_temp; { { props[_i]->vals[_j].length = *(
(CARD32 *) pData); pData += 4; if (swap) props[_i]->vals[_j
].length = ((((props[_i]->vals[_j].length) & 0xff) <<
24) | (((props[_i]->vals[_j].length) & 0xff00) <<
8) | (((props[_i]->vals[_j].length) & 0xff0000) >>
8) | (((props[_i]->vals[_j].length) >> 24) & 0xff
)); }; _temp = malloc (props[_i]->vals[_j].length + 1); memcpy
(_temp, pData, props[_i]->vals[_j].length); _temp[props[_i
]->vals[_j].length] = '\0'; pData += props[_i]->vals[_j
].length + ((8 - ((unsigned int) (4 + props[_i]->vals[_j].
length) % 8)) % 8); }; props[_i]->vals[_j].value = (SmPointer
) _temp; } } }
;
799
800 (*smsConn->callbacks.set_properties.callback) (smsConn,
801 smsConn->callbacks.set_properties.manager_data, numProps, props);
802
803 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
804 break;
805 }
806
807 case SM_DeleteProperties13:
808 {
809 smDeletePropertiesMsg *pMsg;
810 char *pData, *pStart;
811 int count, i;
812 char **propNames = NULL((void*)0);
813
814#if 0 /* No-op */
815 CHECK_AT_LEAST_SIZE (iceConn, _SmsOpcode, opcode,if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
816 length, SIZEOF (smDeletePropertiesMsg), IceFatalToProtocol)if ((((8) - 8) >> 3) > length) { _IceErrorBadLength (
iceConn, _SmsOpcode, opcode, 1); return; }
;
817#endif
818
819 IceReadCompleteMessage (iceConn, SIZEOF (smDeletePropertiesMsg),{ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smDeletePropertiesMsg *
) (iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
3
Within the expansion of the macro 'IceReadCompleteMessage':
a
Assuming 'pStart' is null
820 smDeletePropertiesMsg, pMsg, pStart){ unsigned long _bytes; { _IceRead (iceConn, (unsigned long) (
8 - 8), iceConn->inbufptr); pMsg = (smDeletePropertiesMsg *
) (iceConn->inbuf); iceConn->inbufptr += (8 - 8); }; _bytes
= (pMsg->length << 3) - (8 - 8); if ((iceConn->inbufmax
- iceConn->inbufptr) >= _bytes) { _IceRead (iceConn, _bytes
, iceConn->inbufptr); pStart = iceConn->inbufptr; iceConn
->inbufptr += _bytes; } else { pStart = (char *) malloc ((
unsigned) _bytes); if (pStart) _IceRead (iceConn, _bytes, pStart
); else _IceReadSkip (iceConn, _bytes); } }
;
821
822 if (!IceValidIO (iceConn)iceConn->io_ok)
4
Taking false branch
823 {
824 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
825 return;
826 }
827
828 pData = pStart;
829
830 EXTRACT_CARD32 (pData, swap, count){ count = *((CARD32 *) pData); pData += 4; if (swap) count = (
(((count) & 0xff) << 24) | (((count) & 0xff00) <<
8) | (((count) & 0xff0000) >> 8) | (((count) >>
24) & 0xff)); }
;
5
Within the expansion of the macro 'EXTRACT_CARD32':
a
Dereference of null pointer
831 pData += 4;
832
833 for (i = 0; i < count; i++)
834 SKIP_ARRAY8 (pData, swap){ CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if (
swap) _len = ((((_len) & 0xff) << 24) | (((_len) &
0xff00) << 8) | (((_len) & 0xff0000) >> 8) |
(((_len) >> 24) & 0xff)); }; pData += _len + ((8 -
((unsigned int) (4 + _len) % 8)) % 8); }
; /* prop names */
835
836 CHECK_COMPLETE_SIZE (iceConn, _SmsOpcode, opcode,if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
837 length, pData - pStart + SIZEOF (smDeletePropertiesMsg),if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
838 pStart, IceFatalToProtocol)if (((((pData - pStart + 8) + ((8 - ((unsigned int) ((pData -
pStart + 8)) % 8)) % 8)) - 8) >> 3) != length) { _IceErrorBadLength
(iceConn, _SmsOpcode, opcode, 1); if ((char *) pStart < iceConn
->inbuf || (char *) pStart >= iceConn->inbufmax) free
((char *) pStart);; return; }
;
839
840 pData = pStart + 8;
841
842 propNames = malloc (count * sizeof (char *));
843 for (i = 0; i < count; i++)
844 EXTRACT_ARRAY8_AS_STRING (pData, swap, propNames[i]){ CARD32 _len; { _len = *((CARD32 *) pData); pData += 4; if (
swap) _len = ((((_len) & 0xff) << 24) | (((_len) &
0xff00) << 8) | (((_len) & 0xff0000) >> 8) |
(((_len) >> 24) & 0xff)); }; propNames[i] = malloc
(_len + 1); memcpy (propNames[i], pData, _len); propNames[i]
[_len] = '\0'; pData += _len + ((8 - ((unsigned int) (4 + _len
) % 8)) % 8); }
;
845
846 IceDisposeCompleteMessage (iceConn, pStart)if ((char *) pStart < iceConn->inbuf || (char *) pStart
>= iceConn->inbufmax) free ((char *) pStart);
;
847
848 (*smsConn->callbacks.delete_properties.callback) (smsConn,
849 smsConn->callbacks.delete_properties.manager_data,
850 count, propNames);
851
852 break;
853 }
854
855 case SM_GetProperties14:
856
857 CHECK_SIZE_MATCH (iceConn, _SmsOpcode, opcode,if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
858 length, SIZEOF (smGetPropertiesMsg),if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
859 IceFatalToProtocol)if ((((8) - 8) >> 3) != length) { _IceErrorBadLength (iceConn
, _SmsOpcode, opcode, 1); return; }
;
860
861 (*smsConn->callbacks.get_properties.callback) (smsConn,
862 smsConn->callbacks.get_properties.manager_data);
863 break;
864
865 default:
866 {
867 _IceErrorBadMinor (iceConn, _SmsOpcode, opcode, IceCanContinue0);
868 _IceReadSkip (iceConn, length << 3);
869 break;
870 }
871 }
872}