[
https://issues.apache.org/jira/browse/MYNEWT-656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900223#comment-15900223
]
ASF subversion and git services commented on MYNEWT-656:
--------------------------------------------------------
Commit 0db6321a75deda126943aa187842da6b977cd1c1 in incubator-mynewt-core's
branch refs/heads/1_0_0_dev from [~marko]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-mynewt-core.git;h=0db6321
]
MYNEWT-656; kernel/os - fix memory corruption by os_mbuf_copyinto().
> os_mbuf_copyinto() memory overrun
> ---------------------------------
>
> Key: MYNEWT-656
> URL: https://issues.apache.org/jira/browse/MYNEWT-656
> Project: Mynewt
> Issue Type: Bug
> Reporter: Marko Kiiskila
> Assignee: Marko Kiiskila
> Priority: Critical
> Fix For: v1_0_0_rel
>
>
> os_mbuf_copyinto() corrupts memory, when copy spans over 2 or more target
> mbufs.
> The problem is that cur_off is not reset after copying first part of the data.
> diff --git a/kernel/os/src/os_mbuf.c b/kernel/os/src/os_mbuf.c
> index 28dec0b..7888a86 100644
> --- a/kernel/os/src/os_mbuf.c
> +++ b/kernel/os/src/os_mbuf.c
> @@ -1086,6 +1086,7 @@ os_mbuf_copyinto(struct os_mbuf *om, int off, const
> void *src, int len)
> }
>
> cur = next;
> + cur_off = 0;
> }
>
> /* Append the remaining data to the end of the chain. */
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
