diff options
author | SydMontague <sydmontague@phoenix-staffel.de> | 2024-02-02 12:12:48 +0100 |
---|---|---|
committer | Antonio Borneo <borneo.antonio@gmail.com> | 2024-02-24 13:41:06 +0000 |
commit | 179169268ca1bbac092324f597fbea090d75355e (patch) | |
tree | 7c05b6f7cba6dbeb30a1eeb0c7a369c3c24ca93b | |
parent | 33573cda4aa5685b32c44a81b1f2d84a28d78810 (diff) | |
download | riscv-openocd-179169268ca1bbac092324f597fbea090d75355e.zip riscv-openocd-179169268ca1bbac092324f597fbea090d75355e.tar.gz riscv-openocd-179169268ca1bbac092324f597fbea090d75355e.tar.bz2 |
jtag/commands: fixed buffer overflow
When performing a command queue allocation larger than the default page
size of 1MiB any subsequent allocations will run into an integer under-
flow when checking for the remaining memory left in the current page.
Causing the function returning a pointer past the end of the buffer and
thus creating a buffer overflow.
This has been observed to cause some transfers to Efinix FPGAs to fail,
because another buffer can get corrupted in the process, causing its
respective free() to fail.
Change-Id: Ic5a0e1774e2dbd58f1a05127f14816c8251a7d9c
Signed-off-by: SydMontague <sydmontague@phoenix-staffel.de>
Reviewed-on: https://review.openocd.org/c/openocd/+/8126
Reviewed-by: Tomas Vanek <vanekt@fbl.cz>
Reviewed-by: Antonio Borneo <borneo.antonio@gmail.com>
Tested-by: jenkins
-rw-r--r-- | src/jtag/commands.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/jtag/commands.c b/src/jtag/commands.c index c36c219..a60684c 100644 --- a/src/jtag/commands.c +++ b/src/jtag/commands.c @@ -103,7 +103,7 @@ void *cmd_queue_alloc(size_t size) if (*p_page) { p_page = &cmd_queue_pages_tail; - if (CMD_QUEUE_PAGE_SIZE - (*p_page)->used < size) + if (CMD_QUEUE_PAGE_SIZE < (*p_page)->used + size) p_page = &((*p_page)->next); } |