You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@mynewt.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2017/03/07 21:36:38 UTC
[jira] [Commented] (MYNEWT-656) os_mbuf_copyinto() memory overrun
[ https://issues.apache.org/jira/browse/MYNEWT-656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900214#comment-15900214 ]
ASF subversion and git services commented on MYNEWT-656:
--------------------------------------------------------
Commit b3f9b9648f835e3d12f8f7d5a2d5724e31e5a08e in incubator-mynewt-core's branch refs/heads/develop from [~marko]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-mynewt-core.git;h=b3f9b96 ]
MYNEWT-656; kernel/os - fix memory corruption by os_mbuf_copyinto().
> os_mbuf_copyinto() memory overrun
> ---------------------------------
>
> Key: MYNEWT-656
> URL: https://issues.apache.org/jira/browse/MYNEWT-656
> Project: Mynewt
> Issue Type: Bug
> Reporter: Marko Kiiskila
> Assignee: Marko Kiiskila
> Priority: Critical
> Fix For: v1_0_0_rel
>
>
> os_mbuf_copyinto() corrupts memory, when copy spans over 2 or more target mbufs.
> The problem is that cur_off is not reset after copying first part of the data.
> diff --git a/kernel/os/src/os_mbuf.c b/kernel/os/src/os_mbuf.c
> index 28dec0b..7888a86 100644
> --- a/kernel/os/src/os_mbuf.c
> +++ b/kernel/os/src/os_mbuf.c
> @@ -1086,6 +1086,7 @@ os_mbuf_copyinto(struct os_mbuf *om, int off, const void *src, int len)
> }
>
> cur = next;
> + cur_off = 0;
> }
>
> /* Append the remaining data to the end of the chain. */
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)