ppp: fix segfault in pppcp_send_code_reject()

fix memory corruption caused by misplaced paren when memcpying rejected packet data into Code-Reject packet.
author: Kristen Carlson Accardi <kristen@linux.intel.com> 2010-03-26 18:34:26 -0700
committer: Marcel Holtmann <marcel@holtmann.org> 2010-03-26 19:19:46 -0700
commit: 909ab154a48e81eb4da2c55e354f45755d51ef49 (patch)
tree: 85c627dc6a8f398eeeb8409c5c9b7a501caa2814 /gatchat/ppp_cp.c
parent: 9bb65275eb542c56fe49796222c5199fbf963384 (diff)
download: ofono-909ab154a48e81eb4da2c55e354f45755d51ef49.tar.bz2
1 files changed, 6 insertions, 3 deletions
diff --git a/gatchat/ppp_cp.c b/gatchat/ppp_cp.c
index 137f6b97..39e872bd 100644
--- a/gatchat/ppp_cp.c
+++ b/gatchat/ppp_cp.c
@@ -454,9 +454,12 @@ static void pppcp_send_code_reject(struct pppcp_data *data,
 					guint8 *rejected_packet)
 {
 	struct pppcp_packet *packet;
+	struct pppcp_packet *old_packet =
+				(struct pppcp_packet *) rejected_packet;
 
-	packet = pppcp_packet_new(data, CODE_REJECT,
-			ntohs(((struct pppcp_packet *) rejected_packet)->length));
+	pppcp_trace(data);
+
+	packet = pppcp_packet_new(data, CODE_REJECT, ntohs(old_packet->length));
 
 	/*
 	 * Identifier must be changed for each Code-Reject sent
@@ -468,7 +471,7 @@ static void pppcp_send_code_reject(struct pppcp_data *data,
 	 * truncated if it needs to be to comply with mtu requirement
 	 */
 	memcpy(packet->data, rejected_packet,
-			ntohs(packet->length - CP_HEADER_SZ));
+			ntohs(packet->length) - CP_HEADER_SZ);
 
 	ppp_transmit(data->ppp, pppcp_to_ppp_packet(packet),
 			ntohs(packet->length));
author	Kristen Carlson Accardi <kristen@linux.intel.com>	2010-03-26 18:34:26 -0700
committer	Marcel Holtmann <marcel@holtmann.org>	2010-03-26 19:19:46 -0700
commit	909ab154a48e81eb4da2c55e354f45755d51ef49 (patch)
tree	85c627dc6a8f398eeeb8409c5c9b7a501caa2814 /gatchat/ppp_cp.c
parent	9bb65275eb542c56fe49796222c5199fbf963384 (diff)
download	ofono-909ab154a48e81eb4da2c55e354f45755d51ef49.tar.bz2