Error in length provided to memset, resulting in a buffer overflow. Error now fixed.

author klueska <klueska>

Mon, 16 Jul 2007 19:42:34 +0000 (19:42 +0000)

committer klueska <klueska>

Mon, 16 Jul 2007 19:42:34 +0000 (19:42 +0000)
author klueska <klueska>
Mon, 16 Jul 2007 19:42:34 +0000 (19:42 +0000)
committer klueska <klueska>
Mon, 16 Jul 2007 19:42:34 +0000 (19:42 +0000)
diff --git a/tos/lib/printf/PrintfP.nc b/tos/lib/printf/PrintfP.nc

index 0065b0abc38aae8ed411e3d77516618b7f1cb130..c0b522a9ebff35c94d064158055299dbda1354ba 100644 (file)
--- a/tos/lib/printf/PrintfP.nc
+++ b/tos/lib/printf/PrintfP.nc
@@ -84,10 +84,10 @@ implementation {
    }
    
    void sendNext() {
-       printf_msg_t* m = (printf_msg_t*)call Packet.getPayload(&printfMsg, NULL);
-       length_to_send = (bytes_left_to_flush < sizeof(printf_msg_t)) ? bytes_left_to_flush : sizeof(printf_msg_t);
-       memset(m->buffer, 0, sizeof(printfMsg));
-       memcpy(m->buffer, (uint8_t*)next_byte, length_to_send);
+    printf_msg_t* m = (printf_msg_t*)call Packet.getPayload(&printfMsg, NULL);
+    length_to_send = (bytes_left_to_flush < sizeof(printf_msg_t)) ? bytes_left_to_flush : sizeof(printf_msg_t);
+    memset(m->buffer, 0, sizeof(m->buffer));
+    memcpy(m->buffer, (uint8_t*)next_byte, length_to_send);
      if(call AMSend.send(AM_BROADCAST_ADDR, &printfMsg, sizeof(printf_msg_t)) != SUCCESS)
        post retrySend();  
      else {
@@ -139,7 +139,7 @@ implementation {
         atomic {
           if(state == S_STARTED && (next_byte > buffer)) {
             state = S_FLUSHING;
-        bytes_left_to_flush = next_byte - buffer;
+            bytes_left_to_flush = next_byte - buffer;
             next_byte = buffer;
           }
           else return FAIL;
author	klueska <klueska>
	Mon, 16 Jul 2007 19:42:34 +0000 (19:42 +0000)
committer	klueska <klueska>
	Mon, 16 Jul 2007 19:42:34 +0000 (19:42 +0000)