Check AECP frame length

If the data we extract from a frame is larger than the supplied frame itself,
ignore the frame.
Also fixed a potential memory leak.

2 files changed, 10 insertions, 4 deletions

diff --git a/lib/avtp_pipeline/aecp/openavb_aecp_message.c b/lib/avtp_pipeline/aecp/openavb_aecp_message.c
index 12dd66c3..b2e55bee 100644
--- a/lib/avtp_pipeline/aecp/openavb_aecp_message.c
+++ b/lib/avtp_pipeline/aecp/openavb_aecp_message.c
@@ -507,9 +507,15 @@ static void openavbAecpMessageRxFrameParse(U8* payload, int payload_len, hdr_inf
 				break;

 		}

 

-		// Notify the state machine of the command request

-		// The buffer will be deleted once the request is handled.

-		openavbAecpSMEntityModelEntitySet_rcvdCommand(openavbAecpCommandResponse);

+		if (pSrc - payload <= payload_len) {

+			// Notify the state machine of the command request

+			// The buffer will be deleted once the request is handled.

+			openavbAecpSMEntityModelEntitySet_rcvdCommand(openavbAecpCommandResponse);

+		}

+		else {

+			AVB_LOGF_ERROR("Expected packet of size %d, but received one of size %d.  Discarding.", pSrc - payload, payload_len);

+			free(openavbAecpCommandResponse);

+		}

 	}

 

 	AVB_TRACE_EXIT(AVB_TRACE_AECP);

diff --git a/lib/avtp_pipeline/aecp/openavb_aecp_sm_entity_model_entity.c b/lib/avtp_pipeline/aecp/openavb_aecp_sm_entity_model_entity.c
index d48c7cdb..5f125244 100644
--- a/lib/avtp_pipeline/aecp/openavb_aecp_sm_entity_model_entity.c
+++ b/lib/avtp_pipeline/aecp/openavb_aecp_sm_entity_model_entity.c
@@ -1191,7 +1191,7 @@ void openavbAecpSMEntityModelEntitySet_rcvdCommand(openavb_aecp_AEMCommandRespon
 			openavbAecpSMGlobalVars.myEntityID,

 			sizeof(openavbAecpSMGlobalVars.myEntityID)) != 0) {

 		// Not intended for us.

-		free(openavbAecpSMEntityModelEntityVars.rcvdCommand);

+		free(rcvdCommand);

 		return;

 	}