From 01b08f09c553b847ff740590eef6b2aedeafc952 Mon Sep 17 00:00:00 2001 From: Donald Sharp Date: Mon, 9 Oct 2017 16:36:52 -0400 Subject: [PATCH] babeld: Do not copy beyond end of data The function really_send_update takes a 'const unsigned char *id'. and is called with myid(a 8 byte array) and route->src->id(an 8 byte array), but we copy these pointers into babel_ifp->buffered_id which is a 16 byte array. Adjust the size of buffered_id to be 8 bytes and fix the copy to only copy the 8 bytes. Signed-off-by: Donald Sharp --- babeld/babel_interface.h | 2 +- babeld/message.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/babeld/babel_interface.h b/babeld/babel_interface.h index 64509afa17..501177e602 100644 --- a/babeld/babel_interface.h +++ b/babeld/babel_interface.h @@ -50,7 +50,7 @@ struct babel_interface { char have_buffered_id; char have_buffered_nh; char have_buffered_prefix; - unsigned char buffered_id[16]; + unsigned char buffered_id[8]; unsigned char buffered_nh[4]; unsigned char buffered_prefix[16]; unsigned char *sendbuf; diff --git a/babeld/message.c b/babeld/message.c index e31d5de5df..142770e86e 100644 --- a/babeld/message.c +++ b/babeld/message.c @@ -1080,7 +1080,7 @@ really_send_update(struct interface *ifp, accumulate_bytes(ifp, id, 8); end_message(ifp, MESSAGE_ROUTER_ID, 10); } - memcpy(babel_ifp->buffered_id, id, 16); + memcpy(babel_ifp->buffered_id, id, sizeof(babel_ifp->buffered_id)); babel_ifp->have_buffered_id = 1; } -- 2.39.5