AnsweredAssumed Answered

Horrible memory leak in recvfrom() that has gone completely unnoticed until now?

Question asked by pmt on Aug 23, 2017
Latest reply on Aug 24, 2017 by Craig Honegger

I'm using the latest MQX Classic release, 4.2.0.2 and we're having a receive buffer overflow issue in recvfrom().  Hopefully the MQX developers are still active on this board.  

 

Shouldn't this line in the code snippet below:

   memcpy(parms->udpptr, dgram_item->dgram, dgram_size);

be this instead:

   memcpy(parms->udpptr, dgram_item->dgram, parms->udpword); 

 

Otherwise you can overflow the user receive buffer causing a memory leak (you ignore the buffer length parameter).

Thanks,

PMT

 

 

static void udp_return_req2socket_from_rx_queue(UDP_PARM_PTR parms, struct udp_rx_dgram_header * dgram_item)
{
uint32_t dgram_size = 0;

dgram_size = dgram_item->size;

/* limit for the upper layer recv buffer */
if(parms->udpword > dgram_size)
{
parms->udpword = dgram_size;
}

if(parms->saddr_ptr)
{
*parms->saddr_ptr = dgram_item->fromaddr;
}
memcpy(parms->udpptr, dgram_item->dgram, dgram_size);
((SOCKET_STRUCT_PTR)parms->ucb->SOCKET)->LINK_OPTIONS.RX = dgram_item->rx_linkopts;
}

static void udp_return_req2socket_from_pcb(UDP_PARM_PTR parms, RTCSPCB_PTR pcb_ptr)
{
uint32_t dgram_size = 0;

dgram_size = RTCSPCB_SIZE(pcb_ptr);

/* limit for the upper layer recv buffer */
if(parms->udpword > dgram_size)
{
parms->udpword = dgram_size;
}

if(parms->saddr_ptr)
{
uint16_t af = ((SOCKET_STRUCT_PTR)parms->ucb->SOCKET)->AF;
udp_set_fromaddr(parms->saddr_ptr, pcb_ptr, af);
}
RTCSPCB_memcopy(pcb_ptr, parms->udpptr, 0, parms->udpword);
((SOCKET_STRUCT_PTR)parms->ucb->SOCKET)->LINK_OPTIONS.RX = pcb_ptr->LINK_OPTIONS.RX;
}

Outcomes