fix buffer overflow if data is set but data_size = 0

61d7d404 · Dominik Loidolt · df1ea83a · 61d7d404 · 61d7d404
Commit 61d7d404 authored 3 years ago by Dominik Loidolt
--- a/lib/rdcu_pkt_to_file.c
+++ b/lib/rdcu_pkt_to_file.c
@@ -144,6 +144,8 @@ static int32_t rmap_tx_to_file(const void *hdr, uint32_t hdr_size,
 	}

 	n = rdcu_package(NULL, hdr, hdr_size, non_crc_bytes, data, data_size);
+	if (n <= 0)
+		return -1;
 	blob = malloc(n);
 	if (!blob) {
 		printf("malloc for tx_pkt faild\n");
@@ -151,6 +153,10 @@ static int32_t rmap_tx_to_file(const void *hdr, uint32_t hdr_size,
 	}

 	n = rdcu_package(blob, hdr, hdr_size, non_crc_bytes, data, data_size);
+	if (n <= 0) {
+		free(blob);
+		return -1;
+	}

 	fp = open_file(tc_folder_dir, n_pkt);


--- a/lib/rdcu_rmap.c
+++ b/lib/rdcu_rmap.c
@@ -595,7 +595,10 @@ int rdcu_package(uint8_t *blob,


 	if (data_size & 0x3)	/* must be multiple of 4 */
-		return -1;
+		return 0;
+
+	if (!data_size)
+		data = NULL;

 	if (!cmd_size) {
 		blob = NULL;
@@ -609,7 +612,7 @@ int rdcu_package(uint8_t *blob,
 	ri = (struct rmap_instruction *) &cmd[non_crc_bytes + RMAP_INSTRUCTION];

 	/* see if the type of command needs a data crc field at the end */
-		switch (ri->cmd) {
+	switch (ri->cmd) {
 	case RMAP_READ_MODIFY_WRITE_ADDR_INC:
 	case RMAP_WRITE_ADDR_SINGLE:
 	case RMAP_WRITE_ADDR_INC:
@@ -618,13 +621,12 @@ int rdcu_package(uint8_t *blob,
 	case RMAP_WRITE_ADDR_SINGLE_VERIFY_REPLY:
 	case RMAP_WRITE_ADDR_INC_VERIFY_REPLY:
 	case RMAP_WRITE_ADDR_INC_REPLY:
-			has_data_crc = 1;
-			n += 1;
-			break;
-		default:
-			break;
-		}
-
+		has_data_crc = 1;
+		n += 1;
+		break;
+	default:
+		break;
+	}

 	if (data)
 		n += data_size;
@@ -632,7 +634,6 @@ int rdcu_package(uint8_t *blob,
 	if (!blob)
 		return n;

-
 	memcpy(&blob[0], cmd, cmd_size);

 	blob[cmd_size] = rmap_crc8(&cmd[non_crc_bytes],
@@ -647,7 +648,6 @@ int rdcu_package(uint8_t *blob,
 			blob[cmd_size + 1] = 0x0;
 	}

-
 	return n;
 }