The coredump is generated in the context of processing the message type
"IMMND_EVT_D2ND_IMPLDELETE" because the memory is corrupted at the time
of decoding that message.
It allocated 'size' bytes of memory with the boundary in range [0 - 'size - 1'],
but modified - added null terminated, the memory at the index of `size` which
was out of that range.
This patch fixes such issue. The memory should be allocated with `size + 1`
bytes in length.
---
src/imm/common/immsv_evt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/imm/common/immsv_evt.c b/src/imm/common/immsv_evt.c
index 03a7f8125..c93f82a0f 100644
--- a/src/imm/common/immsv_evt.c
+++ b/src/imm/common/immsv_evt.c
@@ -2898,7 +2898,7 @@ static uint32_t immsv_evt_dec_sublevels(NCS_UBAID *i_ub,
IMMSV_EVT *o_evt)
implNameList[i].size = ncs_decode_32bit(&p8);
ncs_dec_skip_space(i_ub, 4);
- implNameList[i].buf = (char
*)malloc(implNameList[i].size);
+ implNameList[i].buf = (char
*)malloc(implNameList[i].size + 1);
if (implNameList[i].buf == NULL ||
ncs_decode_n_octets_from_uba(i_ub,
(uint8_t
*)implNameList[i].buf,
--
2.18.0
_______________________________________________
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel
