The vulnerability exists in sdp_cstate_alloc_buf
sdp_cstate_list_t *cstate = malloc(sizeof(sdp_cstate_list_t));
uint8_t *data = malloc(buf->data_size);
cstate->buf.data = data;
cstate->timestamp = sdp_get_time();
cstate->next = cstates;
However, cstate will always be hung in the singly linked list of cstates and will not be free. This will cause a memory leak vulnerability
The data can be a very large object, which causes the attacker to continuously send sdp packets to know that the service of the target device has crashed.
I use this vulnerability to coordinate the memory layout
The vulnerability exists in sdp_cstate_alloc_buf
sdp_cstate_list_t *cstate = malloc(sizeof(sdp_cstate_list_t));
uint8_t *data = malloc(buf->data_size);
cstate->buf.data = data;
cstate->timestamp = sdp_get_time();
cstate->next = cstates;
However, cstate will always be hung in the singly linked list of cstates and will not be free. This will cause a memory leak vulnerability
The data can be a very large object, which causes the attacker to continuously send sdp packets to know that the service of the target device has crashed.
I use this vulnerability to coordinate the memory layout