summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorschrewe <73848196+schrewe@users.noreply.github.com>2020-12-07 01:17:16 +0100
committerGitHub <noreply@github.com>2020-12-07 09:17:16 +0900
commitaf734fe097ed379b0aa5fcf551886b1ce5098052 (patch)
treecea13116c74e112be58a4161461db77a9b6ebb1a
parentff4f44c159df6f44b48bd38c9d2f104eb360be11 (diff)
downloadDLT-daemon-af734fe097ed379b0aa5fcf551886b1ce5098052.tar.gz
Check size of ring buffer (#269)
There is no check if "data" fits into the ring buffer buffer. This causes a write heap buffer overflow. If data is too big for the ringbuffer nothing is written to the ringbuffer and a error is logged If the buffers are bigger than the free space in the ringbuffer, the ringbuffer is increased by a step size set at initialization. But there is no check if this increase was sufficient. Fix this by using a while loop that increases the ring buffer size until it is big enough or the buffer can not be further increased. Signed-off-by: Jan Schrewe <schrewe@uni-bonn.de>
-rw-r--r--src/shared/dlt_common.c38
1 files changed, 26 insertions, 12 deletions
diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c
index d15b1ce..615665c 100644
--- a/src/shared/dlt_common.c
+++ b/src/shared/dlt_common.c
@@ -2361,17 +2361,22 @@ void dlt_buffer_write_block(DltBuffer *buf, int *write, const unsigned char *dat
{
/* catch null pointer */
if ((buf != NULL) && (write != NULL) && (data != NULL)) {
- if ((int)(*write + size) <= buf->size) {
- /* write one block */
- memcpy(buf->mem + *write, data, size);
- *write += size;
- }
- else {
- /* write two blocks */
- memcpy(buf->mem + *write, data, buf->size - *write);
- memcpy(buf->mem, data + buf->size - *write, size - buf->size + *write);
- *write += size - buf->size;
- }
+ if (size <= buf->size){
+ if ((int)(*write + size) <= buf->size) {
+ /* write one block */
+ memcpy(buf->mem + *write, data, size);
+ *write += size;
+ }
+ else {
+ /* write two blocks */
+ memcpy(buf->mem + *write, data, buf->size - *write);
+ memcpy(buf->mem, data + buf->size - *write, size - buf->size + *write);
+ *write += size - buf->size;
+ }
+ }
+ else {
+ dlt_vlog(LOG_WARNING, "%s: Write error: ring buffer to small\n", __func__);
+ }
}
else {
dlt_vlog(LOG_WARNING, "%s: Wrong parameter: Null pointer\n", __func__);
@@ -2596,7 +2601,7 @@ int dlt_buffer_push3(DltBuffer *buf,
free_size = buf->size - write + read;
/* check size */
- if (free_size < (int)(sizeof(DltBufferBlockHead) + size1 + size2 + size3)) {
+ while (free_size < (int)(sizeof(DltBufferBlockHead) + size1 + size2 + size3)) {
/* try to increase size if possible */
if (dlt_buffer_increase_size(buf))
/* increase size is not possible */
@@ -2606,6 +2611,15 @@ int dlt_buffer_push3(DltBuffer *buf,
/* update pointers */
write = ((int *)(buf->shm))[0];
read = ((int *)(buf->shm))[1];
+
+ /* update free size */
+ if (read > write)
+ free_size = read - write;
+ else if (count && (write == read))
+ free_size = 0;
+ else
+ free_size = buf->size - write + read;
+
}
/* set header */