The function ccnl_cmp2int in ccnl-pkt-util.c has multiple issues, i.e.
187 int
188 ccnl_cmp2int(unsigned char *cmp, int cmplen)
189 {
190 long int i;
191 char *str = (char *)ccnl_malloc(cmplen+1);
192 DEBUGMSG(DEBUG, " inter a: %i\n", cmplen);
193 DEBUGMSG(DEBUG, " inter b\n");
194 memcpy(str, (char *)cmp, cmplen);
195 str[cmplen] = '\0';
196 DEBUGMSG(DEBUG, " inter c: %s\n", str);
197 i = strtol(str, NULL, 0);
198 DEBUGMSG(DEBUG, " inter d\n");
199 ccnl_free(str);
200 return (int)i;
201 }
If cmplen is INT_MAX the computation in line 191 overflows and the actual allocated size is 0. Also, if a negative value (e.g. -1) is passed the size might be 0. In addition, if cmp is NULL the memcpy call will fail.
Description
The function
ccnl_cmp2int
inccnl-pkt-util.c
has multiple issues, i.e.If
cmplen
isINT_MAX
the computation in line 191 overflows and the actual allocated size is 0. Also, if a negative value (e.g.-1
) is passed the size might be 0. In addition, ifcmp
isNULL
the memcpy call will fail.