changeset 15896:11932b04e6a0

8164501: Uninitialised memory in byteArrayToPacket of SharedMemoryConnection.c Reviewed-by: sla, dsamersoff
author rehn
date Mon, 24 Oct 2016 09:07:26 +0200
parents 4a837dd80453
children 0b19d27ee4dc
files src/jdk.jdi/share/native/libdt_shmem/SharedMemoryConnection.c
diffstat 1 files changed, 14 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/jdk.jdi/share/native/libdt_shmem/SharedMemoryConnection.c	Thu Oct 20 17:05:27 2016 -0700
+++ b/src/jdk.jdi/share/native/libdt_shmem/SharedMemoryConnection.c	Mon Oct 24 09:07:26 2016 +0200
@@ -174,9 +174,20 @@
      * Get the packet header
      */
     (*env)->GetByteArrayRegion(env, b, 0, sizeof(pktHeader), pktHeader);
+    if ((*env)->ExceptionOccurred(env)) {
+        /* b shorter than sizeof(pktHeader) */
+        return;
+    }
 
     total_length = (int)pktHeader[3] | ((int)pktHeader[2] << 8) |
                    ((int)pktHeader[1] << 16) | ((int)pktHeader[0] << 24);
+
+    if (total_length < sizeof(pktHeader)) {
+        throwException(env, "java/lang/IllegalArgumentException",
+                            "JDWP header is incorrect");
+        return;
+    }
+
     /*
      * The id field is in big endian (also errorCode field in the case
      * of reply packets).
@@ -195,9 +206,9 @@
     }
 
     /*
-     * The length of the JDWP packet is 11 + data
+     * The length of the JDWP packet is sizeof(pktHeader) + data
      */
-    data_length = total_length - 11;
+    data_length = total_length - sizeof(pktHeader);
 
     if (data_length == 0) {
         data = NULL;
@@ -209,7 +220,7 @@
             return;
         }
 
-        (*env)->GetByteArrayRegion(env, b, 11, /*sizeof(CmdPacket)+4*/ data_length, data);
+        (*env)->GetByteArrayRegion(env, b, sizeof(pktHeader), /*sizeof(CmdPacket)+4*/ data_length, data);
         if ((*env)->ExceptionOccurred(env)) {
             free(data);
             return;