From 1fdbda9700ecdbc5be8f20b1c0eb2436d803f86b Mon Sep 17 00:00:00 2001 From: Dirk Ziegelmeier Date: Sun, 15 Jan 2017 17:36:33 +0100 Subject: [PATCH] Fix bug #50040: pbuf_alloc(..., 65534, PBUF_RAM) succeeds Check for integer overflow when calculating memory allocation size (cherry picked from commit 9898d406bc5ea8a268895672bb56a6811c4cec43) --- src/core/pbuf.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/src/core/pbuf.c b/src/core/pbuf.c index af63e60d..4ca95b9a 100644 --- a/src/core/pbuf.c +++ b/src/core/pbuf.c @@ -350,8 +350,18 @@ pbuf_alloc(pbuf_layer layer, u16_t length, pbuf_type type) break; case PBUF_RAM: - /* If pbuf is to be allocated in RAM, allocate memory for it. */ - p = (struct pbuf*)mem_malloc(LWIP_MEM_ALIGN_SIZE(SIZEOF_STRUCT_PBUF + offset) + LWIP_MEM_ALIGN_SIZE(length)); + { + mem_size_t alloc_len = LWIP_MEM_ALIGN_SIZE(SIZEOF_STRUCT_PBUF + offset) + LWIP_MEM_ALIGN_SIZE(length); + + /* bug #50040: Check for integer overflow when calculating alloc_len */ + if (alloc_len < LWIP_MEM_ALIGN_SIZE(length)) { + return NULL; + } + + /* If pbuf is to be allocated in RAM, allocate memory for it. */ + p = (struct pbuf*)mem_malloc(alloc_len); + } + if (p == NULL) { return NULL; }