diff --git a/source/ccsp/components/common/DataModel/dml/components/DslhObjRecord/dslh_objro_access.c b/source/ccsp/components/common/DataModel/dml/components/DslhObjRecord/dslh_objro_access.c index 1a5441dc..ec5f7e81 100644 --- a/source/ccsp/components/common/DataModel/dml/components/DslhObjRecord/dslh_objro_access.c +++ b/source/ccsp/components/common/DataModel/dml/components/DslhObjRecord/dslh_objro_access.c @@ -268,12 +268,14 @@ DslhObjroGetAllParamValues ppNameArray = (char**)AnscAllocateMemory(sizeof(char*) * uChildCount); if( !ppNameArray ) /*RDKB-5791 , CID-33396, NULL check after mem allocation*/ { + *pulArraySize = 0; return ANSC_STATUS_FAILURE; } ppValueArray = (PSLAP_VARIABLE*)AnscAllocateMemory(sizeof(PSLAP_VARIABLE) * uChildCount); if( !ppValueArray ) { AnscFreeMemory(ppNameArray);/*RDKB-5791 , CID-33236, NULL check after mem allocation*/ + *pulArraySize = 0; return ANSC_STATUS_FAILURE; } @@ -303,9 +305,12 @@ DslhObjroGetAllParamValues if( ppValueArray[ulParamCount] == NULL) { - break; + returnStatus = ANSC_STATUS_RESOURCES; + goto EXIT; } + SlapInitVariable(ppValueArray[ulParamCount]); + ppValueArray[ulParamCount]->Name = pChildVarRecord->GetFullName((ANSC_HANDLE)pChildVarRecord); ppValueArray[ulParamCount]->ContentType = pChildVarEntity->ContentType; ppValueArray[ulParamCount]->Syntax = pChildVarEntity->Syntax; @@ -342,6 +347,12 @@ DslhObjroGetAllParamValues } /* Check parameter value and change it to be 2 Ending*/ + if ( (ulTotalParamCount + ulParamCount) > ulMaxParamCount ) + { + returnStatus = ANSC_STATUS_BAD_PARAMETER; + goto EXIT; + } + /* copy value back */ for( i = 0; i < ulParamCount; i ++) { diff --git a/source/ccsp/components/common/DataModel/dml/components/DslhWmpDatabase/dslh_wmpdo_mpaif.c b/source/ccsp/components/common/DataModel/dml/components/DslhWmpDatabase/dslh_wmpdo_mpaif.c index 6d6b3ed3..59b9d9f5 100644 --- a/source/ccsp/components/common/DataModel/dml/components/DslhWmpDatabase/dslh_wmpdo_mpaif.c +++ b/source/ccsp/components/common/DataModel/dml/components/DslhWmpDatabase/dslh_wmpdo_mpaif.c @@ -859,7 +859,7 @@ DslhWmpdoMpaSetParameterValues { if(pVarRecord->Notification) { - vcSig.parameterName = pParameterValueArray[i].Name; + vcSig.parameterName = AnscCloneString(pParameterValueArray[i].Name); parseOldVal(pParameterValueArray[i].Value, &vcSig); vcSig.newValue = vcSig.oldValue; parseOldVal(pVarRecord->OldParamValue, &vcSig); @@ -1718,6 +1718,13 @@ DslhWmpdoMpaGetParameterValues (AnscSizeOfString(pParamNameArray->Array.arrayString[i]) == 0) || DslhCwmpIsPartialName(pParamNameArray->Array.arrayString[i]) ) { + if ((ulParameterIndex > ulParameterCount) && (ulParameterIndex < pParamNameArray->VarCount)) + { + AnscTraceWarning(("ulParameterIndex:%lu is greater than ulParameterCount:%lu\n", ulParameterIndex, ulParameterCount)); + AnscTraceWarning(("pParamNameArray->VarCount:%lu\n", pParamNameArray->VarCount)); + AnscTraceWarning(("ulParamCopyCount:%lu\n", ulParamCopyCount)); + } + pObjRecord = (PDSLH_OBJ_RECORD_OBJECT)phAnyRecordArray[i]; ulParamCopyCount = ulParameterCount - ulParameterIndex; @@ -1730,6 +1737,16 @@ DslhWmpdoMpaGetParameterValues bFromAcs, writeID ); + if ( returnStatus != ANSC_STATUS_SUCCESS ) + { + goto EXIT3; + } + + if ( ulParamCopyCount > (ulParameterCount - ulParameterIndex) ) + { + returnStatus = ANSC_STATUS_BAD_PARAMETER; + goto EXIT3; + } ulParameterIndex += ulParamCopyCount; } @@ -1784,9 +1801,12 @@ DslhWmpdoMpaGetParameterValues if( ppValueArray[ulSameObj] == NULL) { - break; + returnStatus = ANSC_STATUS_RESOURCES; + goto EXIT2; } + SlapInitVariable(ppValueArray[ulSameObj]); + pVarEntity = (PDSLH_VAR_ENTITY_OBJECT)pVarRecord->hDslhVarEntity; ppValueArray[ulSameObj]->Name = pVarRecord->GetFullName((ANSC_HANDLE)pVarRecord); @@ -1834,8 +1854,13 @@ DslhWmpdoMpaGetParameterValues for( j = 0 ; j < ulSameObj; j ++) { + if ( ulParameterIndex >= ulParameterCount ) + { + returnStatus = ANSC_STATUS_BAD_PARAMETER; + goto EXIT3; + } /* copy the value back */ - pParameterValueArray[ulParameterIndex].Name = ppValueArray[j]->Name; + pParameterValueArray[ulParameterIndex].Name = AnscCloneString(ppValueArray[j]->Name); pParameterValueArray[ulParameterIndex].Value = ppValueArray[j]; ppValueArray[j]->Name = NULL; diff --git a/source/ccsp/components/common/MessageBusHelper/helper/messagebus_interface_helper.c b/source/ccsp/components/common/MessageBusHelper/helper/messagebus_interface_helper.c index 22097a01..e41273ef 100644 --- a/source/ccsp/components/common/MessageBusHelper/helper/messagebus_interface_helper.c +++ b/source/ccsp/components/common/MessageBusHelper/helper/messagebus_interface_helper.c @@ -372,6 +372,11 @@ CcspCcMbi_GetParameterValues { for ( i = 0; i < ulArraySize; i++ ) { + if (pParamValueArray[i].Name == NULL) + { + AnscTraceWarning(("CcspCcMbi_GetParameterValues cleanup stopped at index %lu (NULL Name)\n", i)); + break; + } DslhCwmpCleanParamValue((&pParamValueArray[i])); }