On Wed, Sep 09, 2020 at 05:37:37AM +0800, nan chen wrote: > Looks like the judgment of len <sizeof(valid_accm) has a problem. > The judgment cannot avoid the memory overflow of the memcpy below. > case LCP_OPTION_ACCM: /* async control character > map */ > + if (len < sizeof(valid_accm)) > + goto err_out; > Assume that the initial value of len is 10.Then the length of 'out' memory > is 10. > And assume the value of opt[1] in each loop is 2. > Then it will loop 3 times. > 3 times memcpy will cause the 'out' memory to be overwritten by 18 bytes ( > > 10 bytes). This will be memory overflow. > > I think the correct way is to judge the value of opt[1] like this: > . case LCP_OPTION_ACCM: /* async control character > map */ > + if (opt[1] < sizeof(valid_accm)) > + goto err_out; >
Yeah. You're right. The "nak_len" count would grow faster than it should leading to memory corruption. I'll resend. regards, dan carpenter
