diff options
author | Kristen Carlson Accardi <kristen@linux.intel.com> | 2010-03-26 18:34:26 -0700 |
---|---|---|
committer | Marcel Holtmann <marcel@holtmann.org> | 2010-03-26 19:19:46 -0700 |
commit | 909ab154a48e81eb4da2c55e354f45755d51ef49 (patch) | |
tree | 85c627dc6a8f398eeeb8409c5c9b7a501caa2814 /gatchat/ppp_cp.c | |
parent | 9bb65275eb542c56fe49796222c5199fbf963384 (diff) | |
download | ofono-909ab154a48e81eb4da2c55e354f45755d51ef49.tar.bz2 |
ppp: fix segfault in pppcp_send_code_reject()
fix memory corruption caused by misplaced paren when memcpying
rejected packet data into Code-Reject packet.
Diffstat (limited to 'gatchat/ppp_cp.c')
-rw-r--r-- | gatchat/ppp_cp.c | 9 |
1 files changed, 6 insertions, 3 deletions
diff --git a/gatchat/ppp_cp.c b/gatchat/ppp_cp.c index 137f6b97..39e872bd 100644 --- a/gatchat/ppp_cp.c +++ b/gatchat/ppp_cp.c @@ -454,9 +454,12 @@ static void pppcp_send_code_reject(struct pppcp_data *data, guint8 *rejected_packet) { struct pppcp_packet *packet; + struct pppcp_packet *old_packet = + (struct pppcp_packet *) rejected_packet; - packet = pppcp_packet_new(data, CODE_REJECT, - ntohs(((struct pppcp_packet *) rejected_packet)->length)); + pppcp_trace(data); + + packet = pppcp_packet_new(data, CODE_REJECT, ntohs(old_packet->length)); /* * Identifier must be changed for each Code-Reject sent @@ -468,7 +471,7 @@ static void pppcp_send_code_reject(struct pppcp_data *data, * truncated if it needs to be to comply with mtu requirement */ memcpy(packet->data, rejected_packet, - ntohs(packet->length - CP_HEADER_SZ)); + ntohs(packet->length) - CP_HEADER_SZ); ppp_transmit(data->ppp, pppcp_to_ppp_packet(packet), ntohs(packet->length)); |