[jira] [Created] (MYNEWT-656) os_mbuf_copyinto() memory overrun

Marko Kiiskila (JIRA) Tue, 07 Mar 2017 13:35:35 -0800

Marko Kiiskila created MYNEWT-656:
-------------------------------------

             Summary: os_mbuf_copyinto() memory overrun
                 Key: MYNEWT-656
                 URL: https://issues.apache.org/jira/browse/MYNEWT-656
             Project: Mynewt
          Issue Type: Bug
            Reporter: Marko Kiiskila
            Assignee: Marko Kiiskila
            Priority: Critical



os_mbuf_copyinto() corrupts memory, when copy spans over 2 or more target mbufs.

The problem is that cur_off is not reset after copying first part of the data.

diff --git a/kernel/os/src/os_mbuf.c b/kernel/os/src/os_mbuf.c
index 28dec0b..7888a86 100644
--- a/kernel/os/src/os_mbuf.c
+++ b/kernel/os/src/os_mbuf.c
@@ -1086,6 +1086,7 @@ os_mbuf_copyinto(struct os_mbuf *om, int off, const void 
*src, int len)
         }
 
         cur = next;
+        cur_off = 0;
     }
 
     /* Append the remaining data to the end of the chain. */




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

[jira] [Created] (MYNEWT-656) os_mbuf_copyinto() memory overrun

Reply via email to