From 2f94d669d74e0b66d4c87e3c33477c8167a4d13c Mon Sep 17 00:00:00 2001
From: Johann Fischer <j.fischer@phytec.de>
Date: Wed, 23 Dec 2015 15:34:13 +0100
Subject: [PATCH] gnrc_pktbuf_static.c: fix overflow in
 gnrc_pktbuf_realloc_data

This patch fixes overflow, which is caused by
(pkt->size - aligned_size). This happens if pkt->size and
new size are unaligned and the difference
between pkt->size and new size is less than four.
---
 sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c b/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c
index 653abbd779..edc2858157 100644
--- a/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c
+++ b/sys/net/gnrc/pktbuf_static/gnrc_pktbuf_static.c
@@ -179,8 +179,10 @@ int gnrc_pktbuf_realloc_data(gnrc_pktsnip_t *pkt, size_t size)
         pkt->data = new_data;
     }
     else {
-        _pktbuf_free(((uint8_t *)pkt->data) + aligned_size,
-                     pkt->size - aligned_size);
+        if (_align(pkt->size) > aligned_size) {
+            _pktbuf_free(((uint8_t *)pkt->data) + aligned_size,
+                         pkt->size - aligned_size);
+        }
     }
     pkt->size = size;
     mutex_unlock(&_mutex);
-- 
GitLab