[U-Boot] [PATCH] Fix memory stomper in DFU. Loop NULL-initted one past allocated array size.
Lukasz Majewski
l.majewski at majess.pl
Fri Jul 12 22:48:16 CEST 2013
On Fri, 12 Jul 2013 13:48:51 -0400
mboards at prograde.net wrote:
Hi Michael,
> From: Michael Cashwell <mboards at prograde.net>
>
> The memory layout arranged itself such that a long-standing memory
> stomper in a DFU prepare callback used during USB registration
> mangled the malloc heap enough to cause my board to panic much later
> in a call to free(). Since it hadn't happened before but was
> repeatable I decided to investigate before it vanished again.
>
> The actual stomp happened in this line after the for loop:
> f_dfu->function[i] = NULL;
Thanks for investigation, but I've already fixed that:
dfu:function: Fix number of allocated DFU function pointers
SHA1: e059a400ad780328cd5ad22c396298cac520c856
This patch has been included to v2013.07-rc2.
>
> git blame says this code was introduced here:
> b819ddbf (Lukasz Majewski 2012-08-06 14:41:06 +0200 587)
>
> I'm not sure if the function[] array actually needs a NULL entry at
> the end. If so then this patch is the right fix. If it really always
> knows the last array index and doesn't need the NULL then removing
> the offending assignment would be better. Not knowing makes this
> patch safer.
>
> Signed-off-by: Michael Cashwell <mboards at prograde.net>
> ---
> drivers/usb/gadget/f_dfu.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
> index a322ae5..b24de09 100644
> --- a/drivers/usb/gadget/f_dfu.c
> +++ b/drivers/usb/gadget/f_dfu.c
> @@ -589,7 +589,7 @@ static int dfu_prepare_function(struct f_dfu
> *f_dfu, int n) struct usb_interface_descriptor *d;
> int i = 0;
>
> - f_dfu->function = calloc(sizeof(struct usb_descriptor_header
> *), n);
> + f_dfu->function = calloc(sizeof(struct usb_descriptor_header
> *), n + 1); if (!f_dfu->function)
> goto enomem;
>
Anyway its nice to hear, that +1 user of DFU is out there :-)
Best regards,
Lukasz Majewski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20130712/dd309d12/attachment.pgp>
More information about the U-Boot
mailing list