Revision: 14313 Author: adrian.chadd Date: Sat Oct 3 18:41:21 2009 Log: Fix Issue 66 - don't access uninitialized memory when parsing an invalid TLV header
http://code.google.com/p/lusca-cache/source/detail?r=14313 Modified: /branches/LUSCA_HEAD/libsqtlv/tlv.c ======================================= --- /branches/LUSCA_HEAD/libsqtlv/tlv.c Tue Apr 21 22:26:10 2009 +++ /branches/LUSCA_HEAD/libsqtlv/tlv.c Sat Oct 3 18:41:21 2009 @@ -59,6 +59,11 @@ xmemcpy(&buflen, &buf[j], sizeof(int)); j += sizeof(int); + if (buflen > (*hdr_len) - sizeof(char) - sizeof(int)) { + debug(20, 0) ("tlv_unpack: unable to unpack: passed buffer size %d bytes; TLV length %d bytes; header prefix size %d bytes\n", *hdr_len, buflen, (int) (sizeof(char) + sizeof(int))); + return NULL; + } + /* * sanity check on 'buflen' value. It should be at least big * enough to hold one type and one length. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "lusca-commit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/lusca-commit?hl=en -~----------~----~----~----~------~----~------~--~---
