From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 2089 invoked by alias); 22 Jun 2012 16:10:34 -0000 Received: (qmail 2055 invoked by uid 22791); 22 Jun 2012 16:10:27 -0000 X-SWARE-Spam-Status: No, hits=-0.7 required=5.0 tests=AWL,BAYES_50,KHOP_RCVD_UNTRUST,RCVD_IN_HOSTKARMA_W,RCVD_IN_HOSTKARMA_WL X-Spam-Check-By: sourceware.org Received: from exprod5og101.obsmtp.com (HELO exprod5og101.obsmtp.com) (64.18.0.141) by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Fri, 22 Jun 2012 16:10:13 +0000 Received: from cinmlip11.e2k.ad.ge.com ([12.71.149.1]) (using TLSv1) by exprod5ob101.postini.com ([64.18.4.12]) with SMTP ID DSNKT+SY5M1+TqsIbmMdBBfqHQkuds4hyFd7@postini.com; Fri, 22 Jun 2012 09:10:13 PDT Received: from unknown (HELO ALPMLEF02.e2k.ad.ge.com) ([3.159.18.11]) by cinmlip11.e2k.ad.ge.com with ESMTP; 22 Jun 2012 12:10:10 -0400 Received: from CINMLVEM19.e2k.ad.ge.com ([3.159.215.46]) by ALPMLEF02.e2k.ad.ge.com with Microsoft SMTPSVC(6.0.3790.4675); Fri, 22 Jun 2012 12:10:11 -0400 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Fri, 22 Jun 2012 16:10:00 -0000 Message-ID: <6F6D3EC964AAC24D9C45644424DE2D810C2F6486@CINMLVEM19.e2k.ad.ge.com> From: "Graves, Daniel (GE Healthcare)" To: X-IsSubscribed: yes Mailing-List: contact ecos-discuss-help@ecos.sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: ecos-discuss-owner@ecos.sourceware.org Subject: [ECOS] Serial Driver imrpovement X-SW-Source: 2012-06/txt/msg00036.txt.bz2 Hello, Note that this might have been fixed already but just in case: I found that the following code in Serial.c will cause a buffer overflow if= there is garbage data on the wire before a thread has started reading from= the serial port: ------------------------------------------------ static rcv_req_reply_t serial_data_rcv_req(serial_channel *chan, int avail,=20 int* space_avail, unsigned char** space) {=20=20=20 cbuf_t *cbuf =3D &chan->in_cbuf; int gap; #ifdef CYGOPT_IO_SERIAL_FLOW_CONTROL_SOFTWARE // When there is software flow-control, force the serial device // driver to use the single-char xmt/rcv functions, since these // have to make policy decision based on the data. Rcv function // may also have to transmit data to throttle the xmitter. If (chan->config.flags & (CYGNUM_SERIAL_FLOW_XONXOFF_TX|CYGNUM_SERIA= L_FLOW_XONXOFF_RX)) return CYG_RCV_DISABLED; #endif CYG_ASSERT(false =3D=3D cbuf->block_mode_xfer_running, "Attempting new block transfer while another is running"= ); // Check for space gap =3D cbuf->nb; if (gap =3D=3D cbuf->len) return CYG_RCV_FULL; ---------------------- The line gap =3D=3D cbuf->len will not always evaluate to true if garbage d= ata is received.=A0 This will cause the put variable to shoot way past len. Thanks, Daniel P Graves -- Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss