diff options
author | schrewe <73848196+schrewe@users.noreply.github.com> | 2020-12-07 01:17:16 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-12-07 09:17:16 +0900 |
commit | af734fe097ed379b0aa5fcf551886b1ce5098052 (patch) | |
tree | cea13116c74e112be58a4161461db77a9b6ebb1a /src | |
parent | ff4f44c159df6f44b48bd38c9d2f104eb360be11 (diff) | |
download | DLT-daemon-af734fe097ed379b0aa5fcf551886b1ce5098052.tar.gz |
Check size of ring buffer (#269)
There is no check if "data" fits into the ring buffer buffer.
This causes a write heap buffer overflow.
If data is too big for the ringbuffer nothing is written to the
ringbuffer and a error is logged
If the buffers are bigger than the free space in the ringbuffer, the
ringbuffer is increased by a step size set at initialization.
But there is no check if this increase was sufficient.
Fix this by using a while loop that increases the ring buffer size until
it is big enough or the buffer can not be further increased.
Signed-off-by: Jan Schrewe <schrewe@uni-bonn.de>
Diffstat (limited to 'src')
-rw-r--r-- | src/shared/dlt_common.c | 38 |
1 files changed, 26 insertions, 12 deletions
diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c index d15b1ce..615665c 100644 --- a/src/shared/dlt_common.c +++ b/src/shared/dlt_common.c @@ -2361,17 +2361,22 @@ void dlt_buffer_write_block(DltBuffer *buf, int *write, const unsigned char *dat { /* catch null pointer */ if ((buf != NULL) && (write != NULL) && (data != NULL)) { - if ((int)(*write + size) <= buf->size) { - /* write one block */ - memcpy(buf->mem + *write, data, size); - *write += size; - } - else { - /* write two blocks */ - memcpy(buf->mem + *write, data, buf->size - *write); - memcpy(buf->mem, data + buf->size - *write, size - buf->size + *write); - *write += size - buf->size; - } + if (size <= buf->size){ + if ((int)(*write + size) <= buf->size) { + /* write one block */ + memcpy(buf->mem + *write, data, size); + *write += size; + } + else { + /* write two blocks */ + memcpy(buf->mem + *write, data, buf->size - *write); + memcpy(buf->mem, data + buf->size - *write, size - buf->size + *write); + *write += size - buf->size; + } + } + else { + dlt_vlog(LOG_WARNING, "%s: Write error: ring buffer to small\n", __func__); + } } else { dlt_vlog(LOG_WARNING, "%s: Wrong parameter: Null pointer\n", __func__); @@ -2596,7 +2601,7 @@ int dlt_buffer_push3(DltBuffer *buf, free_size = buf->size - write + read; /* check size */ - if (free_size < (int)(sizeof(DltBufferBlockHead) + size1 + size2 + size3)) { + while (free_size < (int)(sizeof(DltBufferBlockHead) + size1 + size2 + size3)) { /* try to increase size if possible */ if (dlt_buffer_increase_size(buf)) /* increase size is not possible */ @@ -2606,6 +2611,15 @@ int dlt_buffer_push3(DltBuffer *buf, /* update pointers */ write = ((int *)(buf->shm))[0]; read = ((int *)(buf->shm))[1]; + + /* update free size */ + if (read > write) + free_size = read - write; + else if (count && (write == read)) + free_size = 0; + else + free_size = buf->size - write + read; + } /* set header */ |