On Wednesday, 4 October 2017 14:21:42 PDT Alex Kelley via iotivity-dev wrote: > Hey Steve, > > I just wanted to update this thread that I added VERIFY_CBOR_NOT_OUTOFMEMORY > when I was fixing IOT-2718 and then filed IOT-2728 to resolve the rest of > the issues. This is why the cbor out of memory check is only present in the > roles resource.
Just a bit of background: TinyCBOR allows you to ignore the out of memory condition and continue encoding. It will not actually overflow memory, but it will stop writing new data when it reaches the end of the buffer. When you reach the end of the input data you wanted to encode, you can check whether it's asking for more bytes with cbor_encoder_get_extra_bytes_needed(). If the value is non-zero, you reallocate and then re-encode the same data, with a guarantee for success (you can even ignore all errors). So while tihs is a problem and should be fixed, possibly even a showstopper because we'd be sending truncated useless data, we're not actually overflowing the buffers and causing further security issues. -- Thiago Macieira - thiago.macieira (AT) intel.com Software Architect - Intel Open Source Technology Center _______________________________________________ iotivity-dev mailing list [email protected] https://lists.iotivity.org/mailman/listinfo/iotivity-dev
