From: E. Scott Daniels <daniels@research.att.com>
Date: Tue, 9 Apr 2019 20:25:58 +0000 (+0000)
Subject: Fix possible allocation of 0 len buffer in rtc
X-Git-Tag: 1.0.31~41
X-Git-Url: https://gerrit.o-ran-sc.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F47%2F47%2F2;p=ric-plt%2Flib%2Frmr.git

Fix possible allocation of 0 len buffer in rtc

It was possible for the route table collector to allocate
a zero length buffer to copy a received message into.

Change-Id: Ie270f7fe9f721661f59713eaf15500762b2b3253
Signed-off-by: E. Scott Daniels <daniels@research.att.com>
---

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 9f0af5d..9371ce3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -24,7 +24,7 @@ cmake_minimum_required( VERSION 3.5 )
 
 set( major_version "1" )
 set( minor_version "0" )
-set( patch_level "15" )
+set( patch_level "16" )
 
 set( install_root "${CMAKE_INSTALL_PREFIX}" )
 set( install_lib "lib" )
diff --git a/src/common/src/rtc_static.c b/src/common/src/rtc_static.c
index 6b9c707..9f0d1a6 100644
--- a/src/common/src/rtc_static.c
+++ b/src/common/src/rtc_static.c
@@ -92,7 +92,7 @@ static void* rtc( void* vctx ) {
 	int		state;						// processing state of some nng function
 	char*	tokens[128];
 	char	wbuf[128];
-	char*	pbuf;
+	char*	pbuf = NULL;
 	int		pbuf_size = 0;				// number allocated in pbuf
 	int		ntoks;
 	int		raw_interface = 1;			// rtg is using raw NNG/Nano not RMr to send updates
@@ -183,8 +183,12 @@ static void* rtc( void* vctx ) {
 				if( pbuf ) {
 					free( pbuf );
 				}
-				pbuf = (char *) malloc( sizeof( char ) * mlen *2 );
-				pbuf_size = mlen * 2;
+				if( mlen < 512 ) {
+					pbuf_size = 512;
+				} else {
+					pbuf_size = mlen * 2;
+				}
+				pbuf = (char *) malloc( sizeof( char ) * pbuf_size );
 			}
 			memcpy( pbuf, payload, mlen );
 			pbuf[mlen] = 0;										// don't depend on sender making this a legit string
diff --git a/src/nng/src/sr_nng_static.c b/src/nng/src/sr_nng_static.c
index a99b3de..cfea829 100644
--- a/src/nng/src/sr_nng_static.c
+++ b/src/nng/src/sr_nng_static.c
@@ -230,7 +230,7 @@ static inline rmr_mbuf_t* clone_msg( rmr_mbuf_t* old_msg  ) {
 	nm->payload = nm->header + sizeof( uta_mhdr_t );		// point past header to payload (single buffer allocation above)
 	nm->xaction = ((uta_mhdr_t *)nm->header)->xid;			// point at transaction id in header area
 	nm->state = old_msg->state;								// fill in caller's state (likely the state of the last operation)
-	nm->flags |= MFL_ZEROCOPY;								// this is a zerocopy sendable message
+	nm->flags = old_msg->flags | MFL_ZEROCOPY;				// this is a zerocopy sendable message
 
 	memcpy( ((uta_mhdr_t *)nm->header)->src, ((uta_mhdr_t *)old_msg->header)->src, RMR_MAX_SID );
 	memcpy( nm->payload, old_msg->payload, old_msg->len );