Hangbin Liu
2017-05-12 07:36:45 UTC
If the len is not enought for another tlv process. e.g. one more bytes
padding at the end of message. And we set extra to NULL instead of
msg->last_tlv in tlv_post_recv(). Then the msg->last_tlv will not be
initialised. And program will crash if we read msg->last_tlv. e.g. in
function pmc_show().
Signed-off-by: Hangbin Liu <***@gmail.com>
---
msg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/msg.c b/msg.c
index a38b815..4b3d926 100644
--- a/msg.c
+++ b/msg.c
@@ -140,7 +140,7 @@ static int suffix_post_recv(uint8_t *ptr, int len, struct tlv_extra *last)
}
len -= tlv->length;
ptr += tlv->length;
- err = tlv_post_recv(tlv, len ? NULL : last);
+ err = tlv_post_recv(tlv, len > sizeof(struct TLV) ? NULL : last);
if (err)
return err;
}
padding at the end of message. And we set extra to NULL instead of
msg->last_tlv in tlv_post_recv(). Then the msg->last_tlv will not be
initialised. And program will crash if we read msg->last_tlv. e.g. in
function pmc_show().
Signed-off-by: Hangbin Liu <***@gmail.com>
---
msg.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/msg.c b/msg.c
index a38b815..4b3d926 100644
--- a/msg.c
+++ b/msg.c
@@ -140,7 +140,7 @@ static int suffix_post_recv(uint8_t *ptr, int len, struct tlv_extra *last)
}
len -= tlv->length;
ptr += tlv->length;
- err = tlv_post_recv(tlv, len ? NULL : last);
+ err = tlv_post_recv(tlv, len > sizeof(struct TLV) ? NULL : last);
if (err)
return err;
}
--
2.5.5
2.5.5