From 4325aca0f7a2a8c34b2f9db2c97bcc93aef76d5d Mon Sep 17 00:00:00 2001
From: Dirk Ziegelmeier <dirk@ziegelmeier.net>
Date: Wed, 31 Aug 2016 10:35:42 +0200
Subject: [PATCH] Fix pbuf_memcmp() implementation by using pbuf_try_get_at()
 instead of pbuf_get_at(). Payload out-of-bounds access was not handled
 correctly.

---
 src/core/pbuf.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/core/pbuf.c b/src/core/pbuf.c
index 1e6efb05..28fccc2b 100644
--- a/src/core/pbuf.c
+++ b/src/core/pbuf.c
@@ -1310,8 +1310,11 @@ pbuf_memcmp(struct pbuf* p, u16_t offset, const void* s2, u16_t n)
   if ((q != NULL) && (q->len > start)) {
     u16_t i;
     for (i = 0; i < n; i++) {
-      u8_t a = pbuf_get_at(q, start + i);
       u8_t b = ((const u8_t*)s2)[i];
+      int a = pbuf_try_get_at(q, start + i);
+      if (a < 0) {
+        return 0xffff;
+      }
       if (a != b) {
         return i+1;
       }