interesting
/
riscv-openocd
mirror of https://github.com/riscv/riscv-openocd.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

jtag/commands: fixed buffer overflow 

When performing a command queue allocation larger than the default page
size of 1MiB any subsequent allocations will run into an integer under-
flow when checking for the remaining memory left in the current page.
Causing the function returning a pointer past the end of the buffer and
thus creating a buffer overflow.

This has been observed to cause some transfers to Efinix FPGAs to fail,
because another buffer can get corrupted in the process, causing its
respective free() to fail.

Change-Id: Ic5a0e1774e2dbd58f1a05127f14816c8251a7d9c
Signed-off-by: SydMontague <sydmontague@phoenix-staffel.de>
Reviewed-on: https://review.openocd.org/c/openocd/+/8126
Reviewed-by: Tomas Vanek <vanekt@fbl.cz>
Reviewed-by: Antonio Borneo <borneo.antonio@gmail.com>
Tested-by: jenkins
This commit is contained in:
SydMontague 2024-02-02 12:12:48 +01:00 committed by Antonio Borneo
parent 33573cda4a
commit 179169268c
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/jtag/commands.c
View File

@ -103,7 +103,7 @@ void *cmd_queue_alloc(size_t size)
if (*p_page) {
p_page = &cmd_queue_pages_tail;
if (CMD_QUEUE_PAGE_SIZE - (*p_page)->used < size)
if (CMD_QUEUE_PAGE_SIZE < (*p_page)->used + size)
p_page = &((*p_page)->next);
}