The logic that adds TLVs to the end of a message mixes up the 'L'
length in "TLV" with the total TLV length. As a result, the second
and subsequent TLVs will corrupt the previous TLV in the buffer. This
patch corrects the code to find the correct offset for the second and
following appended TLVs.
Note that the stack does not currently trigger this latent bug because
only single TLVs are appended.
Fixes: 4a8877f90462 ("msg: Introduce method for appending multiple TLVs on
transmit.")
Signed-off-by: Richard Cochran <[email protected]>
---
msg.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/msg.c b/msg.c
index 0a38f21..a4a44fd 100644
--- a/msg.c
+++ b/msg.c
@@ -151,6 +151,8 @@ static struct tlv_extra *msg_tlv_prepare(struct ptp_message
*msg, int length)
tmp = TAILQ_LAST(&msg->tlv_list, tlv_list);
if (tmp) {
ptr = (uint8_t *) tmp->tlv;
+ ptr += sizeof(tmp->tlv->type);
+ ptr += sizeof(tmp->tlv->length);
ptr += tmp->tlv->length;
}
--
2.11.0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Linuxptp-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linuxptp-devel
