Ack, review only/Thanks HansN -----Original Message----- From: Vu Minh Nguyen <vu.m.ngu...@dektech.com.au> Sent: den 29 oktober 2018 10:15 To: Hans Nordebäck <hans.nordeb...@ericsson.com>; Lennart Lund <lennart.l...@ericsson.com>; Gary Lee <gary....@dektech.com.au> Cc: opensaf-devel@lists.sourceforge.net; Vu Minh Nguyen <vu.m.ngu...@dektech.com.au> Subject: [PATCH 1/1] imm: fix osafimmnd coredump genereted during sanity test [#2947]
The coredump is generated in the context of processing the message type "IMMND_EVT_D2ND_IMPLDELETE" because the memory is corrupted at the time of decoding that message. It allocated 'size' bytes of memory with the boundary in range [0 - 'size - 1'], but modified - added null terminated, the memory at the index of `size` which was out of that range. This patch fixes such issue. The memory should be allocated with `size + 1` bytes in length. --- src/imm/common/immsv_evt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/imm/common/immsv_evt.c b/src/imm/common/immsv_evt.c index 03a7f8125..c93f82a0f 100644 --- a/src/imm/common/immsv_evt.c +++ b/src/imm/common/immsv_evt.c @@ -2898,7 +2898,7 @@ static uint32_t immsv_evt_dec_sublevels(NCS_UBAID *i_ub, IMMSV_EVT *o_evt) implNameList[i].size = ncs_decode_32bit(&p8); ncs_dec_skip_space(i_ub, 4); - implNameList[i].buf = (char *)malloc(implNameList[i].size); + implNameList[i].buf = (char *)malloc(implNameList[i].size + 1); if (implNameList[i].buf == NULL || ncs_decode_n_octets_from_uba(i_ub, (uint8_t *)implNameList[i].buf, -- 2.18.0 _______________________________________________ Opensaf-devel mailing list Opensaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opensaf-devel