mirror/lwip
1
0
Fork 0
mirror of https://github.com/lwip-tcpip/lwip.git synced 2024-11-16 23:15:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug #50040: pbuf_alloc(..., 65534, PBUF_RAM) succeeds

Browse Source 
Check for integer overflow when calculating memory allocation size
(cherry picked from commit 9898d406bc)
This commit is contained in:
Dirk Ziegelmeier 2017-01-15 17:36:33 +01:00 committed by goldsimon
parent fed15778dd
commit 1fdbda9700
1 changed files with 12 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/core/pbuf.c
View File

@ -350,8 +350,18 @@ pbuf_alloc(pbuf_layer layer, u16_t length, pbuf_type type)
break; break;
case PBUF_RAM: case PBUF_RAM:
{
mem_size_t alloc_len = LWIP_MEM_ALIGN_SIZE(SIZEOF_STRUCT_PBUF + offset) + LWIP_MEM_ALIGN_SIZE(length);
/* bug #50040: Check for integer overflow when calculating alloc_len */
if (alloc_len < LWIP_MEM_ALIGN_SIZE(length)) {
return NULL;
}
/* If pbuf is to be allocated in RAM, allocate memory for it. */ /* If pbuf is to be allocated in RAM, allocate memory for it. */
p = (struct pbuf*)mem_malloc(LWIP_MEM_ALIGN_SIZE(SIZEOF_STRUCT_PBUF + offset) + LWIP_MEM_ALIGN_SIZE(length)); p = (struct pbuf*)mem_malloc(alloc_len);
}
if (p == NULL) { if (p == NULL) {
return NULL; return NULL;
} }