From 2104d642bb86f27747107cb8e777739dc215b1f4 Mon Sep 17 00:00:00 2001
From: Rob Austein <sra@hactrn.net>
Date: Thu, 7 Jul 2016 17:18:37 -0400
Subject: Fix buffer overflow check.

---
 xdr.c | 23 +++++++++++++++--------
 1 file changed, 15 insertions(+), 8 deletions(-)

(limited to 'xdr.c')

diff --git a/xdr.c b/xdr.c
index 27b8593..0f172fb 100644
--- a/xdr.c
+++ b/xdr.c
@@ -165,21 +165,28 @@ hal_error_t hal_xdr_decode_buffer_in_place(const uint8_t **inbuf, const uint8_t
  */
 hal_error_t hal_xdr_decode_buffer(const uint8_t **inbuf, const uint8_t * const limit, uint8_t * const value, uint32_t * const len)
 {
+    if (inbuf == NULL || value == NULL || len == NULL)
+        return HAL_ERROR_BAD_ARGUMENTS;
+
     hal_error_t ret;
     const uint8_t *vptr;
     const uint8_t *orig_inbuf = *inbuf;
     uint32_t xdr_len;
 
-    if ((ret = hal_xdr_decode_buffer_in_place(inbuf, limit, &vptr, &xdr_len)) == HAL_OK) {
-	*len = xdr_len;
-	if (*len < xdr_len) {
-	    /* user buffer is too small, undo read of length */
-	    *inbuf = orig_inbuf;
-	    return HAL_ERROR_XDR_BUFFER_OVERFLOW;
-	}
+    if ((ret = hal_xdr_decode_buffer_in_place(inbuf, limit, &vptr, &xdr_len)) != HAL_OK)
+        return ret;
 
-        memcpy(value, vptr, *len);
+    if (*len < xdr_len) {
+        /* user buffer is too small, undo read of length */
+        *inbuf = orig_inbuf;
+	ret = HAL_ERROR_XDR_BUFFER_OVERFLOW;
     }
+    else {
+        memcpy(value, vptr, xdr_len);
+    }
+
+    *len = xdr_len;
+
     return ret;
 }
 
-- 
cgit v1.2.3