From e1c909598d74b10e187fd1b96c97f2ab2e1b0972 Mon Sep 17 00:00:00 2001
From: Patrick Caulfield <pcaulfie@redhat.com>
Date: Tue, 1 Jul 2008 07:23:25 +0000
Subject: [PATCH] this patch fixes a segfault/crash in confdb_write.

If the operation is succesful there is no need to set error_string. If error_string is not set, don't try to access it or we crash.

At the same time perform the same check in libconfdb when we receive the reply.

Fabio


git-svn-id: http://svn.fedorahosted.org/svn/corosync/trunk@1569 fd59a12c-fef9-0310-b244-a6a79926bd2f
---
 exec/confdb.c | 9 ++++++---
 lib/confdb.c  | 3 ++-
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/exec/confdb.c b/exec/confdb.c
index e6228b16..da8b85f0 100644
--- a/exec/confdb.c
+++ b/exec/confdb.c
@@ -455,7 +455,7 @@ static void message_handler_req_lib_confdb_write (void *conn, void *message)
 {
 	struct res_lib_confdb_write res_lib_confdb_write;
 	int ret = SA_AIS_OK;
-	char *error_string;
+	char *error_string = NULL;
 
 	if (global_objdb->object_write_config(&error_string))
 		ret = SA_AIS_ERR_ACCESS;
@@ -463,8 +463,11 @@ static void message_handler_req_lib_confdb_write (void *conn, void *message)
 	res_lib_confdb_write.header.size = sizeof(res_lib_confdb_write);
 	res_lib_confdb_write.header.id = MESSAGE_RES_CONFDB_WRITE;
 	res_lib_confdb_write.header.error = ret;
-	strcpy((char *)res_lib_confdb_write.error.value, error_string);
-	res_lib_confdb_write.error.length = strlen(error_string) + 1;
+	if (error_string) {
+		strcpy((char *)res_lib_confdb_write.error.value, error_string);
+		res_lib_confdb_write.error.length = strlen(error_string) + 1;
+	} else
+		res_lib_confdb_write.error.length = 0;
 
 	openais_conn_send_response(conn, &res_lib_confdb_write, sizeof(res_lib_confdb_write));
 }
diff --git a/lib/confdb.c b/lib/confdb.c
index 03a4e7bc..43174f46 100644
--- a/lib/confdb.c
+++ b/lib/confdb.c
@@ -1130,7 +1130,8 @@ confdb_error_t confdb_write (
 	}
 
 	error = res_lib_confdb_write.header.error;
-	memcpy(error_text, res_lib_confdb_write.error.value, res_lib_confdb_write.error.length);
+	if (res_lib_confdb_write.error.length)
+		memcpy(error_text, res_lib_confdb_write.error.value, res_lib_confdb_write.error.length);
 
 error_exit:
 	saHandleInstancePut (&confdb_handle_t_db, handle);