From 8944352f648643fa5c72cd216a76695a021b7851 Mon Sep 17 00:00:00 2001
From: Kamil Zulewski <kamil.zulewski@iopsys.eu>
Date: Wed, 21 Dec 2022 11:29:01 +0100
Subject: [PATCH] Add sanity buffer size check to cntlr_gen_agent_list_tlv

---
 src/cntlr_tlv.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/cntlr_tlv.c b/src/cntlr_tlv.c
index 95011b88..53032af3 100644
--- a/src/cntlr_tlv.c
+++ b/src/cntlr_tlv.c
@@ -1716,9 +1716,10 @@ int cntlr_gen_agent_list_tlv(struct controller *c, struct cmdu_buff *frm)
 	struct tlv_agent_list *tlv_data;
 	struct node *n;
 	int i;
+	const uint16_t max_tlv_len = 512;
 
 	dbg("%s: --->\n", __func__);
-	t = cmdu_reserve_tlv(frm, 512);
+	t = cmdu_reserve_tlv(frm, max_tlv_len);
 	if (!t)
 		return -1;
 
@@ -1732,6 +1733,9 @@ int cntlr_gen_agent_list_tlv(struct controller *c, struct cmdu_buff *frm)
 	t->len = sizeof(tlv_data->num_agent) +
 		 tlv_data->num_agent * sizeof(tlv_data->agent[0]);
 
+	if (t->len > max_tlv_len)
+		return -1;
+
 	i = 0;
 	list_for_each_entry(n, &c->nodelist, list) {
 		dbg("\tagent[%d]:\n", i);
-- 
GitLab