Fix potential memory leaks and crashes.

src/adc/message.c

@@ -26,8 +26,7 @@
 	uhub_assert(X->capacity); \
 	uhub_assert(X->length); \
 	uhub_assert(X->length <= X->capacity); \
-	uhub_assert(X->length == strlen(X->cache)); \
-	uhub_assert(X->references >= 0);
+	uhub_assert(X->length == strlen(X->cache));
 #else
 #define ADC_MSG_ASSERT(X) do { } while(0)
 #endif /* DEBUG */
@@ -111,12 +110,12 @@ static int adc_msg_grow(struct adc_message* msg, size_t size)
 
 	if (msg->capacity > size)
 		return 1;
-	
+
 	/* Make sure we align our data */
 	newsize = size;
 	newsize += 2; /* termination */
 	newsize += (newsize % sizeof(size_t)); /* alignment padding */
-	
+
 	buf = msg_malloc_zero(newsize);
 	if (!buf)
 		return 0;
@@ -126,7 +125,7 @@ static int adc_msg_grow(struct adc_message* msg, size_t size)
 		memcpy(buf, msg->cache, msg->length);
 		msg_free(msg->cache);
 	}
-	
+
 	msg->cache = buf;
 	msg->capacity = newsize;
 
@@ -144,7 +143,7 @@ static int adc_msg_cache_append(struct adc_message* msg, const char* string, siz
 
 	memcpy(&msg->cache[msg->length], string, len);
 	adc_msg_set_length(msg, msg->length + len);
-	
+
 	assert(msg->capacity > msg->length);
 	msg->cache[msg->length] = 0;
 	return 1;
@@ -777,16 +776,15 @@ char* adc_msg_get_argument(struct adc_message* cmd, int offset)
 	char* end;
 	char* argument;
 	int count = 0;
-	
+
 	ADC_MSG_ASSERT(cmd);
-	
+
 	adc_msg_unterminate(cmd);
-	
+
 	start = strchr(&cmd->cache[adc_msg_get_arg_offset(cmd)-1], ' ');
 	while (start)
 	{
 		end = strchr(&start[1], ' ');
-		
 		if (count == offset)
 		{
 			if (end)
@@ -796,21 +794,27 @@ char* adc_msg_get_argument(struct adc_message* cmd, int offset)
 			else
 			{
 				argument = hub_strdup(&start[1]);
-				if (argument[strlen(argument)-1] == '\n')
+				if (argument && argument[strlen(argument)-1] == '\n')
 					argument[strlen(argument)-1] = 0;
 			}
-			
+
+			if (!argument)
+				return 0; // FIXME: OOM
+
 			if (*argument)
 			{
 				adc_msg_terminate(cmd);
 				return argument;
 			}
+			else
+			{
+				hub_free(argument);
+			}
 		}
-		
 		count++;
 		start = end;
 	}
-	
+
 	adc_msg_terminate(cmd);
 	return 0;
 }

src/adc/sid.c

@@ -88,10 +88,18 @@ struct sid_pool
 struct sid_pool* sid_pool_create(sid_t max)
 {
 	struct sid_pool* pool = hub_malloc(sizeof(struct sid_pool));
+	if (!pool)
+		return 0;
+
 	pool->min = 1;
 	pool->max = max + 1;
 	pool->count = 0;
 	pool->map = hub_malloc_zero(sizeof(struct hub_user*) * pool->max);
+	if (!pool->map)
+	{
+		hub_free(pool);
+		return 0;
+	}
 	pool->map[0] = (struct hub_user*) pool; /* hack to reserve the first sid. */
 
 #ifdef DEBUG_SID

src/core/auth.c

@@ -355,25 +355,46 @@ int acl_is_user_denied(struct acl_handle* handle, const char* data)
 
 int acl_user_ban_nick(struct acl_handle* handle, const char* nick)
 {
+	char* data = 0;
 	struct hub_user_access_info* info = hub_malloc_zero(sizeof(struct hub_user_access_info));
+
 	if (!info)
 	{
 		LOG_ERROR("ACL error: Out of memory!");
 		return -1;
 	}
-	list_append(handle->users_banned, hub_strdup(nick));
+
+	data = hub_strdup(nick);
+	if (!data)
+	{
+		LOG_ERROR("ACL error: Out of memory!");
+		hub_free(info);
+		return -1;
+	}
+
+	list_append(handle->users_banned, data);
 	return 0;
 }
 
 int acl_user_ban_cid(struct acl_handle* handle, const char* cid)
 {
+	char* data;
 	struct hub_user_access_info* info = hub_malloc_zero(sizeof(struct hub_user_access_info));
 	if (!info)
 	{
 		LOG_ERROR("ACL error: Out of memory!");
 		return -1;
 	}
-	list_append(handle->cids, hub_strdup(cid));
+
+	data = hub_strdup(cid);
+	if (!data)
+	{
+		LOG_ERROR("ACL error: Out of memory!");
+		hub_free(info);
+		return -1;
+	}
+
+	list_append(handle->cids, data);
 	return 0;
 }
 
@@ -431,12 +452,12 @@ int acl_is_ip_nat_override(struct acl_handle* handle, const char* ip_address)
  */
 const char* acl_password_generate_challenge(struct acl_handle* acl, struct hub_user* user)
 {
-	char buf[32];
+	char buf[64];
 	uint64_t tiger_res[3];
 	static char tiger_buf[MAX_CID_LEN+1];
 
 	// FIXME: Generate a better nonce scheme.
-	snprintf(buf, 32, "%p%d%d", user, (int) user->id.sid, (int) user->connection->sd);
+	snprintf(buf, 64, "%p%d%d", user, (int) user->id.sid, (int) user->connection->sd);
 
 	tiger((uint64_t*) buf, strlen(buf), (uint64_t*) tiger_res);
 	base32_encode((unsigned char*) tiger_res, TIGERSIZE, tiger_buf);

src/core/commands.c

@@ -77,7 +77,7 @@ static struct hub_command* command_create(const char* message)
 	}
 
 	char* prefix = list_get_first(cmd->args);
-	if (prefix[0] && prefix[1])
+	if (prefix && prefix[0] && prefix[1])
 	{
 		cmd->prefix = hub_strdup(&prefix[1]);
 		cmd->prefix_len = strlen(cmd->prefix);
@@ -235,6 +235,9 @@ static int command_uptime(struct hub_info* hub, struct hub_user* user, struct hu
 static int command_kick(struct hub_info* hub, struct hub_user* user, struct hub_command* cmd)
 {
 	char* nick = list_get_first(cmd->args);
+	if (!nick)
+		return -1; // FIXME: bad syntax.
+
 	struct hub_user* target = uman_get_user_by_nick(hub, nick);
 	
 	if (!target)
@@ -250,6 +253,9 @@ static int command_kick(struct hub_info* hub, struct hub_user* user, struct hub_
 static int command_ban(struct hub_info* hub, struct hub_user* user, struct hub_command* cmd)
 {
 	char* nick = list_get_first(cmd->args);
+	if (!nick)
+		return -1; // FIXME: bad syntax.
+
 	struct hub_user* target = uman_get_user_by_nick(hub, nick);
 
 	if (!target)
@@ -299,6 +305,9 @@ static int command_getip(struct hub_info* hub, struct hub_user* user, struct hub
 	char tmp[128];
 
 	char* nick = list_get_first(cmd->args);
+	if (!nick);
+		return -1; // FIXME: bad syntax/OOM
+
 	struct hub_user* target = uman_get_user_by_nick(hub, nick);
 
 	if (!target)
@@ -316,11 +325,17 @@ static int command_whoip(struct hub_info* hub, struct hub_user* user, struct hub
 	struct hub_user* u;
 	int ret = 0;
 
+	if (!address)
+		return -1; // FIXME: bad syntax.
+
 	ret = ip_convert_address_to_range(address, &range);
 	if (!ret)
 		return command_status(hub, user, cmd, "Invalid IP address/range/mask");
 
 	users = (struct linked_list*) list_create();
+	if (!users)
+		return -1; // FIXME: OOM
+
 	ret = uman_get_user_by_addr(hub, users, &range);
 
 	if (!ret)
@@ -333,6 +348,12 @@ static int command_whoip(struct hub_info* hub, struct hub_user* user, struct hub
 	snprintf(tmp, 128, "*** %s: Found %d match%s:", cmd->prefix, ret, ((ret != 1) ? "es" : ""));
 
 	char* buffer = hub_malloc(((MAX_NICK_LEN + INET6_ADDRSTRLEN + 5) * ret) + strlen(tmp) + 3);
+	if (!buffer)
+	{
+		list_destroy(users);
+		return -1; // FIXME: OOM
+	}
+
 	buffer[0] = 0;
 	strcat(buffer, tmp);
 	strcat(buffer, "\n");
@@ -350,6 +371,7 @@ static int command_whoip(struct hub_info* hub, struct hub_user* user, struct hub
 
 	send_message(hub, user, buffer);
 	hub_free(buffer);
+	list_destroy(users);
 	return 0;
 }
 

src/core/hub.c

@@ -102,6 +102,7 @@ int hub_handle_support(struct hub_info* hub, struct hub_user* u, struct adc_mess
 	if (hub->status == hub_status_disabled && u->state == state_protocol)
 	{
 		on_login_failure(hub, u, status_msg_hub_disabled);
+		hub_free(arg);
 		return -1;
 	}
 

src/core/inf.c

@@ -46,8 +46,11 @@ static int set_feature_cast_supports(struct hub_user* u, struct adc_message* cmd
 	if (adc_msg_has_named_argument(cmd, ADC_INF_FLAG_SUPPORT))
 	{
 		tmp = adc_msg_get_named_argument(cmd, ADC_INF_FLAG_SUPPORT);
+		if (!tmp)
+			return -1; // FIXME: OOM
+
 		user_clear_feature_cast_support(u);
-		
+
 		it = tmp;
 		while (strlen(it) > 4)
 		{

src/core/netevent.c

@@ -111,7 +111,6 @@ int handle_net_read(struct hub_user* user)
 					if (hub_handle_message(g_hub, user, start, (pos - start)) == -1)
 					{
 							return quit_protocol_error;
-							break;
 					}
 				}
 			}

src/core/route.c

@@ -86,7 +86,7 @@ static inline int check_send_queue(struct hub_info* hub, struct hub_user* user,
 		return -1;
 	}
 
-	if (user->send_queue->size > get_max_send_queue_soft(hub) && msg->priority < 0)
+	if (user->send_queue->size > get_max_send_queue_soft(hub))
 	{
 		LOG_WARN("send queue soft overflowed.");
 		return 0;

src/core/usermanager.c

@@ -101,9 +101,10 @@ int uman_init(struct hub_info* hub)
 	if (!users->list)
 	{
 		list_destroy(users->list);
+		hub_free(users);
 		return -1;
 	}
-	
+
 	hub->users = users;
 
 #ifdef USERMANAGER_TIMER

src/network/network.c

@@ -303,7 +303,7 @@ int net_close(int fd)
 	}
 	else
 	{
-		if (fd != -1)
+		if (ret != -1)
 		{
 			net_stats_add_error();
 		}
@@ -474,6 +474,7 @@ int net_socket_create(int af, int type, int protocol)
 	if (sd == -1)
 	{
 		net_error_out(sd, "net_socket_create");
+		return -1;
 	}
 
 #ifdef SOCK_DUAL_STACK_OPT

src/util/list.c

@@ -54,6 +54,11 @@ void list_clear(struct linked_list* list, void (*free_handle)(void* ptr))
 void list_append(struct linked_list* list, void* data_ptr)
 {
 	struct node* new_node = (struct node*) hub_malloc_zero(sizeof(struct node));
+	if (!new_node)
+	{
+		LOG_FATAL("Unable to allocate memory");
+		return;
+	}
 	new_node->ptr = data_ptr;
 	
 	if (list->last)

src/util/tiger.c

@@ -47,10 +47,13 @@ extern uint64_t tiger_sboxes[4*256];
 	ROUND(b, c, a, x7, mul)
 
 void tiger_compress(uint64_t* str, uint64_t state[3]) {
-	uint64_t a, b, c, swap;
+	uint64_t a, b, c;
 	uint64_t x0, x1, x2, x3, x4, x5, x6, x7;
 	uint64_t aa, bb, cc;
+#if PASSES > 3
+	uint64_t swap;
 	size_t pass_no;
+#endif
 	a = state[0];
 	b = state[1];
 	c = state[2];
@@ -107,7 +110,8 @@ void tiger_compress(uint64_t* str, uint64_t state[3]) {
 	x7 -= x6 ^ 0x0123456789ABCDEFULL;
 
 	PASS(b, c, a, 9);
-	
+
+#if PASSES > 3
 	for (pass_no = 3; pass_no < PASSES; pass_no++)
 	{
 		x0 -= x7 ^ 0xA5A5A5A5A5A5A5A5ULL;
@@ -134,7 +138,8 @@ void tiger_compress(uint64_t* str, uint64_t state[3]) {
 		c = b;
 		b = swap;
 	}
-	
+#endif
+
 	a ^= aa;
 	b -= bb;
 	c += cc;