[patch] IPPacketC uses error return value as offset, resulting in trashed memory

GoogleCodeExporter commented 8 years ago

When using the PppRouter application's RplBorderRouterP module and receiving a 
packet with an IPV6_HOP header but no RPL_HBH_RANK_TYPE header, IPPacketC's 
delTLV() ends up trashing memory. This is due to the blind assumption that 
findTLV() always succeeds. When it doesn't, -1 is used as an offset for 
iov_update() which results in Bad Things (in my case the board just hung, 
making this rather "fun" to track down).

Cheers,
/Johny

Original issue reported on code.google.com by jmatts...@dius.com.au on 28 Jul 2011 at 1:32

Attachments:

IPPacketC.patch

GoogleCodeExporter commented 8 years ago

Original comment by philip.l...@gmail.com on 29 Jul 2011 at 12:23

GoogleCodeExporter commented 8 years ago

Original comment by sdh...@gmail.com on 29 Jul 2011 at 12:49

Changed state: Accepted

GoogleCodeExporter commented 8 years ago

Original comment by sdh...@gmail.com on 3 Aug 2011 at 9:24

Changed state: Fixed

anandmudgerikar / tinyos-main

[patch] IPPacketC uses error return value as offset, resulting in trashed memory #48