X-Git-Url: http://git.annexia.org/?a=blobdiff_plain;f=daemon%2Ffile.c;h=2399828ee6e62320df18880425441ada7d2f8ba5;hb=01fedcde05c930c1413e9fe0909fa1da1f360cdf;hp=dbdbbaae719d8904165072bdba2f045bea7b217d;hpb=e9c37113104c1cfb234535adc9b52ad3880a41ce;p=libguestfs.git

diff --git a/daemon/file.c b/daemon/file.c
index dbdbbaa..2399828 100644
--- a/daemon/file.c
+++ b/daemon/file.c
@@ -198,6 +198,11 @@ do_chmod (int mode, const char *path)
 {
   int r;
 
+  if (mode < 0) {
+    reply_with_error ("%s: mode is negative", path);
+    return -1;
+  }
+
   CHROOT_IN;
   r = chmod (path, mode);
   CHROOT_OUT;
@@ -331,25 +336,24 @@ do_read_file (const char *path, size_t *size_r)
     return NULL;
   }
 
-  *size_r = statbuf.st_size;
   /* The actual limit on messages is smaller than this.  This
    * check just limits the amount of memory we'll try and allocate
    * here.  If the message is larger than the real limit, that will
    * be caught later when we try to serialize the message.
    */
-  if (*size_r >= GUESTFS_MESSAGE_MAX) {
+  if (statbuf.st_size >= GUESTFS_MESSAGE_MAX) {
     reply_with_error ("%s: file is too large for the protocol, use guestfs_download instead", path);
     close (fd);
     return NULL;
   }
-  r = malloc (*size_r);
+  r = malloc (statbuf.st_size);
   if (r == NULL) {
     reply_with_perror ("malloc");
     close (fd);
     return NULL;
   }
 
-  if (xread (fd, r, *size_r) == -1) {
+  if (xread (fd, r, statbuf.st_size) == -1) {
     reply_with_perror ("read: %s", path);
     close (fd);
     free (r);
@@ -362,6 +366,10 @@ do_read_file (const char *path, size_t *size_r)
     return NULL;
   }
 
+  /* Mustn't touch *size_r until we are sure that we won't return any
+   * error (RHBZ#589039).
+   */
+  *size_r = statbuf.st_size;
   return r;
 }
 
@@ -413,6 +421,9 @@ do_pread (const char *path, int count, int64_t offset, size_t *size_r)
     return NULL;
   }
 
+  /* Mustn't touch *size_r until we are sure that we won't return any
+   * error (RHBZ#589039).
+   */
   *size_r = r;
   return buf;
 }