aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSydMontague <sydmontague@phoenix-staffel.de>2024-02-02 12:12:48 +0100
committerAntonio Borneo <borneo.antonio@gmail.com>2024-02-24 13:41:06 +0000
commit179169268ca1bbac092324f597fbea090d75355e (patch)
tree7c05b6f7cba6dbeb30a1eeb0c7a369c3c24ca93b
parent33573cda4aa5685b32c44a81b1f2d84a28d78810 (diff)
downloadriscv-openocd-179169268ca1bbac092324f597fbea090d75355e.zip
riscv-openocd-179169268ca1bbac092324f597fbea090d75355e.tar.gz
riscv-openocd-179169268ca1bbac092324f597fbea090d75355e.tar.bz2
jtag/commands: fixed buffer overflow
When performing a command queue allocation larger than the default page size of 1MiB any subsequent allocations will run into an integer under- flow when checking for the remaining memory left in the current page. Causing the function returning a pointer past the end of the buffer and thus creating a buffer overflow. This has been observed to cause some transfers to Efinix FPGAs to fail, because another buffer can get corrupted in the process, causing its respective free() to fail. Change-Id: Ic5a0e1774e2dbd58f1a05127f14816c8251a7d9c Signed-off-by: SydMontague <sydmontague@phoenix-staffel.de> Reviewed-on: https://review.openocd.org/c/openocd/+/8126 Reviewed-by: Tomas Vanek <vanekt@fbl.cz> Reviewed-by: Antonio Borneo <borneo.antonio@gmail.com> Tested-by: jenkins
-rw-r--r--src/jtag/commands.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/src/jtag/commands.c b/src/jtag/commands.c
index c36c219..a60684c 100644
--- a/src/jtag/commands.c
+++ b/src/jtag/commands.c
@@ -103,7 +103,7 @@ void *cmd_queue_alloc(size_t size)
if (*p_page) {
p_page = &cmd_queue_pages_tail;
- if (CMD_QUEUE_PAGE_SIZE - (*p_page)->used < size)
+ if (CMD_QUEUE_PAGE_SIZE < (*p_page)->used + size)
p_page = &((*p_page)->next);
}