From b8744c22329467d9317a90544b0dd8999bad9448 Mon Sep 17 00:00:00 2001
From: Klaus Kämpf <kkaempf@suse.de>
Date: Fri, 30 Mar 2012 15:11:39 +0200
Subject: Check result of u_parse_query

u_parse_query starts with strtok_r(src, "&,", &pp) thus these filters
will be two tokens. As the second one does not contain an equal sign,
u_parse_query returns NULL, and hash_scan_begin tries to use it
without any checks.

The problem is with the comma in the filter, and I could not find a
way to circumvent it. As these minimal examples demonstrates:
wsman enumerate 'foo' --dialect "http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter" --filter 'foo="bar,foo"'
wsman enumerate 'foo' --dialect "http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter" --filter "foo='bar,foo'"

Reported by Zoltan Micskei <zoltan.micskei@mit.bme.hu>
---
 src/wsman.c | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'src')

diff --git a/src/wsman.c b/src/wsman.c
index 61996d4..78d2310 100644
--- a/src/wsman.c
+++ b/src/wsman.c
@@ -870,6 +870,10 @@ int main(int argc, char **argv)
 				selector_entry *entry;
 				selectors_new = hash_create2(HASHCOUNT_T_MAX, 0, 0);
 				selfilter = u_parse_query(wsm_filter);
+                                if (!selfilter) {
+                                  error("Filter parse error");
+                                  break;
+                                }
 				hash_scan_begin(&hs, selfilter);
 				while ((hn = hash_scan_next(&hs))) {
 					entry = u_malloc(sizeof(selector_entry));
-- 
cgit