Ack, review only/Thanks HansN
-----Original Message-----
From: Vu Minh Nguyen <vu.m.ngu...@dektech.com.au>
Sent: den 29 oktober 2018 10:15
To: Hans Nordebäck <hans.nordeb...@ericsson.com>; Lennart Lund
<lennart.l...@ericsson.com>; Gary Lee <gary....@dektech.com.au>
Cc: opensaf-devel@lists.sourceforge.net; Vu Minh Nguyen
<vu.m.ngu...@dektech.com.au>
Subject: [PATCH 1/1] imm: fix osafimmnd coredump genereted during sanity test
[#2947]
The coredump is generated in the context of processing the message type
"IMMND_EVT_D2ND_IMPLDELETE" because the memory is corrupted at the time of
decoding that message.
It allocated 'size' bytes of memory with the boundary in range [0 - 'size -
1'], but modified - added null terminated, the memory at the index of `size`
which was out of that range.
This patch fixes such issue. The memory should be allocated with `size + 1`
bytes in length.
---
src/imm/common/immsv_evt.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/imm/common/immsv_evt.c b/src/imm/common/immsv_evt.c index
03a7f8125..c93f82a0f 100644
--- a/src/imm/common/immsv_evt.c
+++ b/src/imm/common/immsv_evt.c
@@ -2898,7 +2898,7 @@ static uint32_t immsv_evt_dec_sublevels(NCS_UBAID *i_ub,
IMMSV_EVT *o_evt)
implNameList[i].size = ncs_decode_32bit(&p8);
ncs_dec_skip_space(i_ub, 4);
- implNameList[i].buf = (char
*)malloc(implNameList[i].size);
+ implNameList[i].buf = (char
*)malloc(implNameList[i].size + 1);
if (implNameList[i].buf == NULL ||
ncs_decode_n_octets_from_uba(i_ub,
(uint8_t
*)implNameList[i].buf,
--
2.18.0
_______________________________________________
Opensaf-devel mailing list
Opensaf-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensaf-devel
