You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@mynewt.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2017/03/07 21:36:38 UTC

[jira] [Commented] (MYNEWT-656) os_mbuf_copyinto() memory overrun

    [ https://issues.apache.org/jira/browse/MYNEWT-656?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15900214#comment-15900214 ] 

ASF subversion and git services commented on MYNEWT-656:
--------------------------------------------------------

Commit b3f9b9648f835e3d12f8f7d5a2d5724e31e5a08e in incubator-mynewt-core's branch refs/heads/develop from [~marko]
[ https://git-wip-us.apache.org/repos/asf?p=incubator-mynewt-core.git;h=b3f9b96 ]

MYNEWT-656; kernel/os - fix memory corruption by os_mbuf_copyinto().


> os_mbuf_copyinto() memory overrun
> ---------------------------------
>
>                 Key: MYNEWT-656
>                 URL: https://issues.apache.org/jira/browse/MYNEWT-656
>             Project: Mynewt
>          Issue Type: Bug
>            Reporter: Marko Kiiskila
>            Assignee: Marko Kiiskila
>            Priority: Critical
>             Fix For: v1_0_0_rel
>
>
> os_mbuf_copyinto() corrupts memory, when copy spans over 2 or more target mbufs.
> The problem is that cur_off is not reset after copying first part of the data.
> diff --git a/kernel/os/src/os_mbuf.c b/kernel/os/src/os_mbuf.c
> index 28dec0b..7888a86 100644
> --- a/kernel/os/src/os_mbuf.c
> +++ b/kernel/os/src/os_mbuf.c
> @@ -1086,6 +1086,7 @@ os_mbuf_copyinto(struct os_mbuf *om, int off, const void *src, int len)
>          }
>  
>          cur = next;
> +        cur_off = 0;
>      }
>  
>      /* Append the remaining data to the end of the chain. */



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)