This is an automated email from the ASF dual-hosted git repository.

xiaoxiang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/incubator-nuttx-apps.git


The following commit(s) were added to refs/heads/master by this push:
     new ffab06c6c usrsock:fix stack-buffer-overflow issue when running 
basic_send test case
ffab06c6c is described below

commit ffab06c6c5f6b10f4617b6a07b32ffbb5939028e
Author: liangchaozhong <liangchaozh...@xiaomi.com>
AuthorDate: Fri Oct 21 10:12:04 2022 +0800

    usrsock:fix stack-buffer-overflow issue when running basic_send test case
    
    The following error was reported when runing usrsocktest with KASAN check 
enabled.
        ==1348590==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0xf20ec610 at pc 0x56ac61ba bp 0xf20ec278 sp 0xf20ec268
    
    rootcause:
    hdrbuf's size is not large enough to store the data in usrsock's request.
    
    solution:
    double herbuf's size to make sure the space, used to store usrsock's 
request, is enough.
    
    Signed-off-by: liangchaozhong <liangchaozh...@xiaomi.com>
---
 examples/usrsocktest/usrsocktest_daemon.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/examples/usrsocktest/usrsocktest_daemon.c 
b/examples/usrsocktest/usrsocktest_daemon.c
index b91bc7122..b62985883 100644
--- a/examples/usrsocktest/usrsocktest_daemon.c
+++ b/examples/usrsocktest/usrsocktest_daemon.c
@@ -1579,7 +1579,7 @@ static int handle_usrsock_request(int fd, FAR struct 
daemon_priv_s *priv)
         },
     };
 
-  uint8_t hdrbuf[16];
+  uint8_t hdrbuf[32];
   FAR struct usrsock_request_common_s *common_hdr = (FAR void *)hdrbuf;
   ssize_t rlen;
 
@@ -1601,7 +1601,8 @@ static int handle_usrsock_request(int fd, FAR struct 
daemon_priv_s *priv)
       return -EIO;
     }
 
-  assert(handlers[common_hdr->reqid].hdrlen < sizeof(hdrbuf));
+  assert(handlers[common_hdr->reqid].hdrlen <
+         (sizeof(hdrbuf) - sizeof(*common_hdr)));
 
   rlen = read_req(fd, common_hdr, hdrbuf,
                   handlers[common_hdr->reqid].hdrlen);

Reply via email to