[PATCH 1/5] ppp: fix segfault in pppcp_send_code_reject()
Kristen Carlson Accardi
kristen at linux.intel.com
Fri Mar 26 18:34:26 PDT 2010
fix memory corruption caused by misplaced paren when memcpying
rejected packet data into Code-Reject packet.
---
gatchat/ppp_cp.c | 9 ++++++---
1 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/gatchat/ppp_cp.c b/gatchat/ppp_cp.c
index 137f6b9..39e872b 100644
--- a/gatchat/ppp_cp.c
+++ b/gatchat/ppp_cp.c
@@ -454,9 +454,12 @@ static void pppcp_send_code_reject(struct pppcp_data *data,
guint8 *rejected_packet)
{
struct pppcp_packet *packet;
+ struct pppcp_packet *old_packet =
+ (struct pppcp_packet *) rejected_packet;
- packet = pppcp_packet_new(data, CODE_REJECT,
- ntohs(((struct pppcp_packet *) rejected_packet)->length));
+ pppcp_trace(data);
+
+ packet = pppcp_packet_new(data, CODE_REJECT, ntohs(old_packet->length));
/*
* Identifier must be changed for each Code-Reject sent
@@ -468,7 +471,7 @@ static void pppcp_send_code_reject(struct pppcp_data *data,
* truncated if it needs to be to comply with mtu requirement
*/
memcpy(packet->data, rejected_packet,
- ntohs(packet->length - CP_HEADER_SZ));
+ ntohs(packet->length) - CP_HEADER_SZ);
ppp_transmit(data->ppp, pppcp_to_ppp_packet(packet),
ntohs(packet->length));
--
1.6.6.1
More information about the ofono
mailing list