It is checked when data is send by checking if the data would fit inside the outgoing UDP packet. But it is not checked if the data would fit after the sending was done. This doesn't have to be true just from the restrictions which can be seen in this function. So just check if the data and its headers would now fit in outgoing buffer before copying the data to the output buffer.
This is not a problem by itself because the data + header in the dataset cannot be larger than (MAX_PAYLOAD - sizeof(struct alfred_push_data_v0)). Reported-by: Hans-Werner Hilse <[email protected]> Signed-off-by: Sven Eckelmann <[email protected]> --- send.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/send.c b/send.c index 8853970..5a92132 100644 --- a/send.c +++ b/send.c @@ -92,4 +92,9 @@ int push_data(struct globals *globals, struct interface *interface, } + /* still too large? - should never happen */ + if (total_length + dataset->data.header.length + sizeof(*data) > + MAX_PAYLOAD - sizeof(*push)) + continue; + data = (struct alfred_data *) (buf + sizeof(*push) + total_length); -- 2.1.4
