When create or modify an object having size of attribute value over 65535,
this actual size will be truncated because dataSize of saNtfPtrValAllocate
is SaUint16T (from 0 to 65535). Thus, after saNtfPtrValAllocate's invoked,
the attribute value is assigned to the memory allocated with the actual
size over 65535 and cause a memory corruption.
Solution is prevent the size of data and log a warning if is's over 65535.
---
src/ntf/ntfimcnd/ntfimcn_notifier.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/ntf/ntfimcnd/ntfimcn_notifier.c
b/src/ntf/ntfimcnd/ntfimcn_notifier.c
index c63b4393f..05cbb6a67 100644
--- a/src/ntf/ntfimcnd/ntfimcn_notifier.c
+++ b/src/ntf/ntfimcnd/ntfimcn_notifier.c
@@ -233,6 +233,13 @@ static int fill_value_array(SaNtfNotificationHandleT
notificationHandle,
TRACE_ENTER();
+ if (value_in_size > USHRT_MAX) {
+ LOG_WA("Failed to prepare notification as attr value size "
+ "(%llu) > MAX(%u)",
+ value_in_size, USHRT_MAX);
+ internal_rc = (-1);
+ goto done;
+ }
rc = saNtfPtrValAllocate(notificationHandle, value_in_size,
(void **)&dest_ptr, value_out);
if (rc != SA_AIS_OK) {
--
2.17.1
_______________________________________________
Opensaf-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/opensaf-devel
