projects / platform / upstream / iotivity.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 38c8911)
[CONPRO-1561] Crash in memcpy 89/225289/2 submit/tizen/20200219.001638
authorsamanway <samanway@linux-samanway.sa.corp.samsungelectronics.net>
Tue, 4 Feb 2020 11:07:38 +0000 (16:37 +0530)
committerDoHyun Pyun <dh79.pyun@samsung.com>
Wed, 19 Feb 2020 00:15:04 +0000 (09:15 +0900)
- In Caremotehandler.c, function CACloneInfo was copying token into buffer in vulnurable way
- Fixed it appending NULL in destination string

https://github.sec.samsung.net/RS7-IOTIVITY/IoTivity/pull/662
(cherry-picked from f8af2d6ca117bdf270c97c5c28f86bb0169659e5)

Change-Id: I84dfff77ecbf3a333913ce341060d7e30444ac62
Signed-off-by: samanway <samanway-dey@samsung.com>
Signed-off-by: DoHyun Pyun <dh79.pyun@samsung.com>
resource/csdk/connectivity/common/src/caremotehandler.c patch | blob | history

diff --git a/resource/csdk/connectivity/common/src/caremotehandler.c b/resource/csdk/connectivity/common/src/caremotehandler.c
index 1e5b7e9..638c04f 100644 (file)
--- a/resource/csdk/connectivity/common/src/caremotehandler.c
+++ b/resource/csdk/connectivity/common/src/caremotehandler.c
@@ -261,7 +261,7 @@ CAResult_t CACloneInfo(const CAInfo_t *info, CAInfo_t *clone)
         // allocate token field
         uint8_t len = info->tokenLength;
 
-        char *temp = (char *) OICMalloc(len * sizeof(char));
+        char *temp = (char *) OICCalloc(1, (len + 1) * sizeof(char));
         if (!temp)
         {
             OIC_LOG(ERROR, TAG, "CACloneInfo Out of memory");
Domain: Network & Connectivity / IoT Connectivity;