From e54b631b8d04fb18078e47228e281b6b2f5e48ad Mon Sep 17 00:00:00 2001
From: Michael Abbott <michael.abbott@diamond.ac.uk>
Date: Wed, 11 Aug 2010 16:49:46 -0500
Subject: [PATCH] Guard memset in camessage.c to prevent wild memory overrun if
 mismatch between payload and data size.

---
 src/ca/nciu.h        | 2 +-
 src/rsrv/camessage.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/ca/nciu.h b/src/ca/nciu.h
index f05a13b96..de070dcea 100644
--- a/src/ca/nciu.h
+++ b/src/ca/nciu.h
@@ -41,7 +41,7 @@
 #   include "shareLib.h"
 #endif
 
-#define CA_MINOR_PROTOCOL_REVISION 12
+#define CA_MINOR_PROTOCOL_REVISION 13
 #include "caProto.h"
 
 #include "cacIO.h"
diff --git a/src/rsrv/camessage.c b/src/rsrv/camessage.c
index 8542becb8..963561461 100644
--- a/src/rsrv/camessage.c
+++ b/src/rsrv/camessage.c
@@ -605,7 +605,7 @@ static void read_reply ( void *pArg, struct dbAddr *paddr,
                 payload_size = data_size;
                 cas_set_header_count(pClient, item_count);
             }
-            else
+            else if (payload_size > data_size)
                 memset(
                     (char *) pPayload + data_size, 0, payload_size - data_size);
         }