From 08503a20be606968ef116b1b95f9c24a05762cb0 Mon Sep 17 00:00:00 2001 From: rajithr Date: Wed, 27 May 2015 19:06:19 +0530 Subject: [PATCH 1/2] Protection against possible buffer overflow --- core/net/packetbuf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/core/net/packetbuf.c b/core/net/packetbuf.c index 217f40bc2..20bfebe80 100644 --- a/core/net/packetbuf.c +++ b/core/net/packetbuf.c @@ -141,6 +141,7 @@ packetbuf_copyto(void *to) int i; char buffer[1000]; char *bufferptr = buffer; + int bufferlen = 0; bufferptr[0] = 0; for(i = hdrptr; i < PACKETBUF_HDR_SIZE; ++i) { @@ -149,8 +150,8 @@ packetbuf_copyto(void *to) PRINTF("packetbuf_write: header: %s\n", buffer); bufferptr = buffer; bufferptr[0] = 0; - for(i = bufptr; i < buflen + bufptr; ++i) { - bufferptr += sprintf(bufferptr, "0x%02x, ", packetbufptr[i]); + for(i = bufptr; ((i < buflen + bufptr) && (bufferlen < 980)); ++i) { + bufferlen += sprintf(bufferptr + bufferlen, "0x%02x, ", packetbufptr[i]); } PRINTF("packetbuf_write: data: %s\n", buffer); } From 2a2acf62ed1b45454ebbb56769e83d15a5e8feff Mon Sep 17 00:00:00 2001 From: rajithr Date: Mon, 31 Aug 2015 16:10:00 +0530 Subject: [PATCH 2/2] Fix for out of bounds access Fix for out of bounds access by limiting the printing to the size limit of the buffer --- core/net/packetbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/net/packetbuf.c b/core/net/packetbuf.c index 20bfebe80..c7e2a9898 100644 --- a/core/net/packetbuf.c +++ b/core/net/packetbuf.c @@ -150,7 +150,7 @@ packetbuf_copyto(void *to) PRINTF("packetbuf_write: header: %s\n", buffer); bufferptr = buffer; bufferptr[0] = 0; - for(i = bufptr; ((i < buflen + bufptr) && (bufferlen < 980)); ++i) { + for(i = bufptr; ((i < buflen + bufptr) && (bufferlen < (sizeof(buffer) - 10))); ++i) { bufferlen += sprintf(bufferptr + bufferlen, "0x%02x, ", packetbufptr[i]); } PRINTF("packetbuf_write: data: %s\n", buffer);