Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix memory corruption in rewrite-vendor
  • Loading branch information
Fabian Mauchle committed May 17, 2019
1 parent 17f1715 commit 24f1cc2
Show file tree
Hide file tree
Showing 3 changed files with 20 additions and 14 deletions.
1 change: 0 additions & 1 deletion hash.c
Expand Up @@ -3,7 +3,6 @@

#include <stdlib.h>
#include <string.h>
#include <pthread.h>
#include "list.h"
#include "hash.h"

Expand Down
1 change: 1 addition & 0 deletions hash.h
Expand Up @@ -4,6 +4,7 @@
#ifndef SYS_SOLARIS9
#include <stdint.h>
#endif
#include <pthread.h>

struct hash {
struct list *hashlist;
Expand Down
32 changes: 19 additions & 13 deletions rewrite.c
Expand Up @@ -456,27 +456,33 @@ int replacesubtlv(struct tlv *vendortlv, uint8_t *p, struct tlv *newtlv) {
}

int dorewritemodvattr(struct tlv *vendortlv, struct modattr *modvattr) {
uint8_t *p;
struct tlv *tmpattr;
int offset;

if (vendortlv->l <= 4 || !attrvalidate(vendortlv->v+4, vendortlv->l-4))
return 0;
for (p = vendortlv->v+4; p < (vendortlv->v + vendortlv->l); p = p+ATTRLEN(p)) {
if (ATTRTYPE(p) == modvattr->t) {
tmpattr = maketlv(ATTRTYPE(p), ATTRVALLEN(p), ATTRVAL(p));
for (offset = 4; offset < vendortlv->l; offset += ATTRLEN(vendortlv->v+offset)) {
if (ATTRTYPE(vendortlv->v+offset) == modvattr->t) {
tmpattr = maketlv(ATTRTYPE(vendortlv->v+offset), ATTRVALLEN(vendortlv->v+offset), ATTRVAL(vendortlv->v+offset));
if (dorewritemodattr(tmpattr, modvattr)) {
int size_diff = tmpattr->l - ATTRVALLEN(p);
uint8_t *next_attr = p+ATTRLEN(p);
uint8_t rem_size = (vendortlv->v + vendortlv->l) - next_attr;
int size_diff = tmpattr->l - ATTRVALLEN(vendortlv->v+offset);
int rem_size = vendortlv->l - offset - ATTRLEN(vendortlv->v+offset);
uint8_t *next;

if (size_diff < 0)
memmove(next_attr + size_diff, next_attr, rem_size);
if (!resizeattr(vendortlv, vendortlv->l+size_diff))
return 0;
if (size_diff > 0)
memmove(next_attr + size_diff, next_attr, rem_size);
if (!resizeattr(vendortlv, vendortlv->l+size_diff)) {
freetlv(tmpattr);
return 0;
}
next = vendortlv->v + offset + ATTRLEN(vendortlv->v+offset);
memmove(next + size_diff, next, rem_size);
if (size_diff < 0)
if (!resizeattr(vendortlv, vendortlv->l+size_diff)) {
freetlv(tmpattr);
return 0;
}

tlv2buf(p, tmpattr);
tlv2buf(vendortlv->v+offset, tmpattr);
} else {
freetlv(tmpattr);
return 0;
Expand Down

0 comments on commit 24f1cc2

Please sign in to comment.