mirror of
https://github.com/lwip-tcpip/lwip.git
synced 2024-11-16 23:15:37 +00:00
Fix bug #50040: pbuf_alloc(..., 65534, PBUF_RAM) succeeds
Check for integer overflow when calculating memory allocation size
(cherry picked from commit 9898d406bc
)
This commit is contained in:
parent
fed15778dd
commit
1fdbda9700
@ -350,8 +350,18 @@ pbuf_alloc(pbuf_layer layer, u16_t length, pbuf_type type)
|
|||||||
|
|
||||||
break;
|
break;
|
||||||
case PBUF_RAM:
|
case PBUF_RAM:
|
||||||
/* If pbuf is to be allocated in RAM, allocate memory for it. */
|
{
|
||||||
p = (struct pbuf*)mem_malloc(LWIP_MEM_ALIGN_SIZE(SIZEOF_STRUCT_PBUF + offset) + LWIP_MEM_ALIGN_SIZE(length));
|
mem_size_t alloc_len = LWIP_MEM_ALIGN_SIZE(SIZEOF_STRUCT_PBUF + offset) + LWIP_MEM_ALIGN_SIZE(length);
|
||||||
|
|
||||||
|
/* bug #50040: Check for integer overflow when calculating alloc_len */
|
||||||
|
if (alloc_len < LWIP_MEM_ALIGN_SIZE(length)) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* If pbuf is to be allocated in RAM, allocate memory for it. */
|
||||||
|
p = (struct pbuf*)mem_malloc(alloc_len);
|
||||||
|
}
|
||||||
|
|
||||||
if (p == NULL) {
|
if (p == NULL) {
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user