[B.A.T.M.A.N.] [PATCH 10/10] alfred: Fix length check for push_data

Sven Eckelmann sven at narfation.org
Sat May 24 13:44:15 CEST 2014


The client receives the push_data header and the header of a data_block when
it tries to parse the answer of an request. The remaining buffer size to store
the actual data has to remove these two headers from its available, original
buffer size. The read of the data would otherwise (potentially) overflow
the output buffer.

Signed-off-by: Sven Eckelmann <sven at narfation.org>

---
 client.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/client.c b/client.c
index 3670f4f..0283f57 100644
--- a/client.c
+++ b/client.c
@@ -38,6 +38,7 @@ int alfred_client_request_data(struct globals *globals)
 	struct alfred_tlv *tlv;
 	struct alfred_data *data;
 	int ret, len, data_len, i;
+	const size_t buf_data_len = sizeof(buf) - sizeof(*push) + sizeof(*data);
 
 	if (unix_sock_open_client(globals, ALFRED_SOCK_PATH))
 		return -1;
@@ -88,7 +89,7 @@ int alfred_client_request_data(struct globals *globals)
 		data_len = ntohs(data->header.length);
 
 		/* would it fit? it should! */
-		if (data_len > (int)(sizeof(buf) - sizeof(*push)))
+		if (data_len > (int)buf_data_len)
 			break;
 
 		/* read the data */
-- 
2.0.0.rc2



More information about the B.A.T.M.A.N mailing list