Crash
Opened this issue · 0 comments
weisongye commented
#include <stdio.h>
#include <string.h>
typedef struct _MSG_ELEMENT_HDR
{
unsigned short type; /* me type */
unsigned short length; /* me data length */
unsigned char data[0]; /* me data */
} MSG_ELEMENT_HDR;
MSG_ELEMENT_HDR* parse_msg_element(MSG_ELEMENT_HDR *meh, int total_len, unsigned short me_type)
{
int offset = 0;
MSG_ELEMENT_HDR *tmp_meh = NULL;
while (total_len > 0)
{
tmp_meh = (MSG_ELEMENT_HDR *)((char *)meh + offset);
if (tmp_meh->type == me_type)
{
return tmp_meh;
}
offset += sizeof(MSG_ELEMENT_HDR) + tmp_meh->length;
total_len -= sizeof(MSG_ELEMENT_HDR) + tmp_meh->length;
}
return NULL;
}
void memory_overstep_boundary()
{
unsigned char payload[] = { 0x05, 0x00, 0x08, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x05, 0x00, 0x01, 0x05, 0x00, 0x01 };
unsigned short payloadLen = 12;
char mac[32][18] = { 0 };
MSG_ELEMENT_HDR *meh = NULL;
int count = 0;
int length = 0;
meh = (MSG_ELEMENT_HDR *)payload;
length = payloadLen;
/* search for mac in frame */
for (count = 0; meh != NULL; count++)
{
meh = parse_msg_element(meh, length, 5);
if (NULL == meh)
{
break;
}
memcpy(mac + count * 18, meh, meh->length);
meh = (MSG_ELEMENT_HDR *)((char *)meh + sizeof(MSG_ELEMENT_HDR) + meh->length);
length = length - sizeof(MSG_ELEMENT_HDR)-meh->length;
}
return 0;
}
int main(void)
{
memory_overstep_boundary();
return 0;
}