Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix heap corruption #25

Merged
merged 3 commits into from
May 30, 2024
+48 −1
Merged

Fix heap corruption #25

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
9f75760
[nrf toup] packet: Add Malloc checks
krish2718 May 20, 2024
28cb907
[nrf toup] packet: Fix heap corruption
krish2718 May 28, 2024
3ba8083
[nrf noup] zephyr: Fix POSIX failures
krish2718 May 29, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions indigo_api.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -322,15 +322,31 @@ void fill_wrapper_ack(struct packet_wrapper *wrapper, int seq, int status, char

wrapper->tlv_num = 2;
wrapper->tlv[0] = malloc(sizeof(struct tlv_hdr));
if (!wrapper->tlv[0]) {
indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV (size: %zu)", __LINE__, sizeof(struct tlv_hdr));
return;
}
wrapper->tlv[0]->id = TLV_STATUS;
wrapper->tlv[0]->len = 1;
wrapper->tlv[0]->value = (char*)malloc(wrapper->tlv[0]->len);
if (!wrapper->tlv[0]->value) {
indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV value (size: %d)", __LINE__, wrapper->tlv[0]->len);
return;
}
wrapper->tlv[0]->value[0] = status;

wrapper->tlv[1] = malloc(sizeof(struct tlv_hdr));
if (!wrapper->tlv[1]) {
indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV (size: %zu)", __LINE__, sizeof(struct tlv_hdr));
return;
}
wrapper->tlv[1]->id = TLV_MESSAGE;
wrapper->tlv[1]->len = strlen(reason);
wrapper->tlv[1]->value = (char*)malloc(wrapper->tlv[1]->len);
if (!wrapper->tlv[1]->value) {
indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV value (size: %d)", __LINE__, wrapper->tlv[1]->len);
return;
}
memcpy(wrapper->tlv[1]->value, reason, wrapper->tlv[1]->len);
}

Expand Down Expand Up @@ -359,19 +375,35 @@ void fill_wrapper_message_hdr(struct packet_wrapper *wrapper, int msg_type, int
/* Fill the TLV structure to the wrapper (for one byte value) */
void fill_wrapper_tlv_byte(struct packet_wrapper *wrapper, int id, char value) {
wrapper->tlv[wrapper->tlv_num] = malloc(sizeof(struct tlv_hdr));
if (!wrapper->tlv[wrapper->tlv_num]) {
indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV (size: %zu)", __LINE__, sizeof(struct tlv_hdr));
return;
}
wrapper->tlv[wrapper->tlv_num]->id = id;
wrapper->tlv[wrapper->tlv_num]->len = 1;
wrapper->tlv[wrapper->tlv_num]->value = (char*)malloc(1);
if (!wrapper->tlv[wrapper->tlv_num]->value) {
indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV value (size: %d)", __LINE__, 1);
return;
}
wrapper->tlv[wrapper->tlv_num]->value[0] = value;
wrapper->tlv_num++;
}

/* Fill the TLV structure to the wrapper (for multiple bytes value) */
void fill_wrapper_tlv_bytes(struct packet_wrapper *wrapper, int id, int len, char* value) {
wrapper->tlv[wrapper->tlv_num] = malloc(sizeof(struct tlv_hdr));
if (!wrapper->tlv[wrapper->tlv_num]) {
indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV", __LINE__);
return;
}
wrapper->tlv[wrapper->tlv_num]->id = id;
wrapper->tlv[wrapper->tlv_num]->len = len;
wrapper->tlv[wrapper->tlv_num]->value = (char*)malloc(len);
if (!wrapper->tlv[wrapper->tlv_num]->value) {
indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV value", __LINE__);
return;
}
memcpy(wrapper->tlv[wrapper->tlv_num]->value, value, len);
wrapper->tlv_num++;
}
14 changes: 13 additions & 1 deletion indigo_packet.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,10 @@ int parse_packet(struct packet_wrapper *req, char *packet, size_t packet_len) {
/* Parse the TLVs */
while (packet_len - parser > 0) {
req->tlv[req->tlv_num] = (struct tlv_hdr *)malloc(sizeof(struct tlv_hdr));
if (!req->tlv[req->tlv_num]) {
indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV; %d" , __LINE__, req->tlv_num);
return -1;
}
memset(req->tlv[req->tlv_num], 0, sizeof(struct tlv_hdr));

ret = parse_tlv(req->tlv[req->tlv_num], packet + parser, packet_len - parser);
Expand Down Expand Up @@ -212,6 +216,10 @@ int add_tlv(struct tlv_hdr *tlv, int id, size_t len, char *value) {
tlv->id = id;
tlv->len = len;
tlv->value = (char*)malloc(sizeof(char)*len);
if (!tlv->value) {
indigo_logger(LOG_LEVEL_ERROR, "Failed to allocate memory for TLV value: %d", tlv->len);
return 1;
}
memcpy(tlv->value, value, len);
return 0;
}
Expand All @@ -224,7 +232,11 @@ int parse_tlv(struct tlv_hdr *tlv, char *packet, size_t packet_len) {

tlv->id = ((packet[0] & 0x00ff) << 8) | (packet[1] & 0x00ff);
tlv->len = packet[2];
tlv->value = (char*)malloc(sizeof(char) * tlv->len);
tlv->value = (char*)malloc((sizeof(char) * tlv->len) + 1);
if (!tlv->value) {
indigo_logger(LOG_LEVEL_ERROR, "Failed to allocate memory for TLV value: %d", tlv->len);
return -1;
}
memcpy(tlv->value, &packet[3], tlv->len);
tlv->value[tlv->len] = '\0';

Expand Down
Loading