From: klueska <klueska>
Date: Mon, 16 Jul 2007 19:42:34 +0000 (+0000)
Subject: Error in length provided to memset, resulting in a buffer overflow.  Error now fixed.
X-Git-Tag: release_tools_1_2_4_1~26
X-Git-Url: https://oss.titaniummirror.com/gitweb/?p=tinyos-2.x.git;a=commitdiff_plain;h=611881ddf09d9510f630c7f635df5c4c0a5fcb12

Error in length provided to memset, resulting in a buffer overflow.  Error now fixed.
---

diff --git a/tos/lib/printf/PrintfP.nc b/tos/lib/printf/PrintfP.nc
index 0065b0ab..c0b522a9 100644
--- a/tos/lib/printf/PrintfP.nc
+++ b/tos/lib/printf/PrintfP.nc
@@ -84,10 +84,10 @@ implementation {
   }
   
   void sendNext() {
-  	printf_msg_t* m = (printf_msg_t*)call Packet.getPayload(&printfMsg, NULL);
-  	length_to_send = (bytes_left_to_flush < sizeof(printf_msg_t)) ? bytes_left_to_flush : sizeof(printf_msg_t);
-  	memset(m->buffer, 0, sizeof(printfMsg));
-  	memcpy(m->buffer, (uint8_t*)next_byte, length_to_send);
+    printf_msg_t* m = (printf_msg_t*)call Packet.getPayload(&printfMsg, NULL);
+    length_to_send = (bytes_left_to_flush < sizeof(printf_msg_t)) ? bytes_left_to_flush : sizeof(printf_msg_t);
+    memset(m->buffer, 0, sizeof(m->buffer));
+    memcpy(m->buffer, (uint8_t*)next_byte, length_to_send);
     if(call AMSend.send(AM_BROADCAST_ADDR, &printfMsg, sizeof(printf_msg_t)) != SUCCESS)
       post retrySend();  
     else {
@@ -139,7 +139,7 @@ implementation {
   	atomic {
   	  if(state == S_STARTED && (next_byte > buffer)) {
   	    state = S_FLUSHING;
-        bytes_left_to_flush = next_byte - buffer;
+            bytes_left_to_flush = next_byte - buffer;
   	    next_byte = buffer;
   	  }
   	  else return FAIL;