<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en" style='--code-editor-font: var(--default-mono-font, "GitLab Mono"), JetBrains Mono, Menlo, DejaVu Sans Mono, Liberation Mono, Consolas, Ubuntu Mono, Courier New, andale mono, lucida console, monospace;'>
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style data-premailer="ignore" type="text/css">
a { color: #1068bf; }
</style>
<style>img {
max-width: 100%; height: auto;
}
body {
font-size: .875rem;
}
body {
-webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px;
}
body {
font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji"; font-size: inherit;
}
</style>
</head>
<body style='font-size: inherit; -webkit-text-shadow: rgba(255,255,255,.01) 0 0 1px; font-family: "GitLab Sans",-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,"Noto Sans",Ubuntu,Cantarell,"Helvetica Neue",sans-serif,"Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Noto Color Emoji";'>
<div class="content">
<p class="details" style="font-style: italic; color: #737278;">
<a href="https://gitlab.rtems.org/joel">Joel Sherrill</a> created an issue: <a href="https://gitlab.rtems.org/rtems/rtos/rtems/-/issues/5248">#5248</a>
</p>
<p>
Assignee: Gedare Bloom
</p>
<div class="md" style="position: relative; z-index: 1; color: #28272d; word-wrap: break-word;">
<h2 dir="auto" style="font-size: 1.5em; font-weight: 600; padding-bottom: .3em; border-bottom-width: 1px; border-bottom-color: #bfbfc3; border-bottom-style: solid; color: #28272d; margin: 0 0 16px;" align="initial">
<a href="#summary" aria-hidden="true" class="anchor" id="user-content-summary" style="margin-top: 0; float: left; margin-left: -20px; text-decoration: none; outline: none;"></a>Summary</h2>
<p dir="auto" style="color: #28272d; margin: 0 0 16px;" align="initial">Coverity Scan <a href="https://scan5.scan.coverity.com/#/project-view/30909/10069?selectedIssue=1642617" rel="nofollow noreferrer noopener" target="_blank" style="margin-top: 0;">1642617</a> identifies a write past the end of a buffer in ctucanfd.c.</p>
<div class="gl-relative markdown-code-block js-markdown-code">
<pre class="code highlight js-syntax-highlight language-plaintext" v-pre="true" style='display: block; font-size: 14px; color: #28272d; line-height: 1.6em; overflow-x: auto; border-radius: .25rem; position: relative; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; word-break: break-all; word-wrap: break-word; background-color: #fbfafd; margin: 0 0 16px; padding: 12px; border: 1px solid #dcdcde;'><code style='font-size: inherit; color: inherit; word-wrap: normal; word-break: keep-all; background-color: inherit; border-radius: .25rem; white-space: pre; margin-top: 0; font-family: "GitLab Mono","JetBrains Mono","Menlo","DejaVu Sans Mono","Liberation Mono","Consolas","Ubuntu Mono","Courier New","andale mono","lucida console",monospace; vertical-align: bottom; overflow-wrap: normal; padding: unset;'><span id="LC1" class="line" lang="plaintext" style="margin-top: 0;"> 1. Condition rtems_can_test_bit(1, &chip->flags) == 0, taking false branch.</span>
<span id="LC2" class="line" lang="plaintext"> 7. Condition rtems_can_test_bit(1, &chip->flags) == 0, taking false branch.</span>
<span id="LC3" class="line" lang="plaintext">1297 if ( rtems_can_test_bit( RTEMS_CAN_CHIP_RUNNING, &chip->flags ) == 0 ) {</span>
<span id="LC4" class="line" lang="plaintext">1298 /* Abort all filled HW buffers. */</span>
<span id="LC5" class="line" lang="plaintext">1299 for ( int i = 0; i < internal->txb_prio_tail[0]; i++ ) {</span>
<span id="LC6" class="line" lang="plaintext">1300 txtb_id = ctucanfd_txb_from_order( internal->txb_order, i );</span>
<span id="LC7" class="line" lang="plaintext">1301</span>
<span id="LC8" class="line" lang="plaintext">1302 if ( ctucanfd_get_tx_status( internal, txtb_id ) == TXT_ETY ) {</span>
<span id="LC9" class="line" lang="plaintext">1303 txb_info = &internal->txb_info[txtb_id];</span>
<span id="LC10" class="line" lang="plaintext">1304 if ( txb_info != NULL ) {</span>
<span id="LC11" class="line" lang="plaintext">1305 rtems_can_queue_filter_frame_to_edges(</span>
<span id="LC12" class="line" lang="plaintext">1306 &chip->qends_dev->base,</span>
<span id="LC13" class="line" lang="plaintext">1307 txb_info->edge,</span>
<span id="LC14" class="line" lang="plaintext">1308 &txb_info->slot->frame,</span>
<span id="LC15" class="line" lang="plaintext">1309 CAN_FRAME_TXERR</span>
<span id="LC16" class="line" lang="plaintext">1310 );</span>
<span id="LC17" class="line" lang="plaintext">1311 rtems_can_queue_free_outslot(</span>
<span id="LC18" class="line" lang="plaintext">1312 &chip->qends_dev->base,</span>
<span id="LC19" class="line" lang="plaintext">1313 txb_info->edge,</span>
<span id="LC20" class="line" lang="plaintext">1314 txb_info->slot</span>
<span id="LC21" class="line" lang="plaintext">1315 );</span>
<span id="LC22" class="line" lang="plaintext">1316 txb_info->slot = NULL;</span>
<span id="LC23" class="line" lang="plaintext">1317 txb_info->edge = NULL;</span>
<span id="LC24" class="line" lang="plaintext">1318 ctucanfd_txb_free( internal, i );</span>
<span id="LC25" class="line" lang="plaintext">1319 }</span>
<span id="LC26" class="line" lang="plaintext">1320 } else {</span>
<span id="LC27" class="line" lang="plaintext">1321 ctucanfd_give_txtb_cmd( internal, TXT_CMD_SET_ABORT, txtb_id );</span>
<span id="LC28" class="line" lang="plaintext">1322 abort_recheck = 1;</span>
<span id="LC29" class="line" lang="plaintext">1323 }</span>
<span id="LC30" class="line" lang="plaintext">1324 }</span>
<span id="LC31" class="line" lang="plaintext">1325</span>
<span id="LC32" class="line" lang="plaintext">1326 /* Clear the FIFOs filled with frames to be sent. */</span>
<span id="LC33" class="line" lang="plaintext">1327 while ( rtems_can_queue_test_outslot( qends, &qedge, &slot ) >= 0 ) {</span>
<span id="LC34" class="line" lang="plaintext">1328 /* Filter these frames back to the application as TX error frames. */</span>
<span id="LC35" class="line" lang="plaintext">1329 rtems_can_queue_filter_frame_to_edges(</span>
<span id="LC36" class="line" lang="plaintext">1330 &chip->qends_dev->base,</span>
<span id="LC37" class="line" lang="plaintext">1331 qedge,</span>
<span id="LC38" class="line" lang="plaintext">1332 &slot->frame,</span>
<span id="LC39" class="line" lang="plaintext">1333 CAN_FRAME_TXERR</span>
<span id="LC40" class="line" lang="plaintext">1334 );</span>
<span id="LC41" class="line" lang="plaintext">1335 rtems_can_queue_free_outslot(</span>
<span id="LC42" class="line" lang="plaintext">1336 &chip->qends_dev->base,</span>
<span id="LC43" class="line" lang="plaintext">1337 qedge,</span>
<span id="LC44" class="line" lang="plaintext">1338 slot</span>
<span id="LC45" class="line" lang="plaintext">1339 );</span>
<span id="LC46" class="line" lang="plaintext">1340 rtems_can_stats_add_tx_error( &chip->chip_stats );</span>
<span id="LC47" class="line" lang="plaintext">1341 }</span>
<span id="LC48" class="line" lang="plaintext">1342</span>
<span id="LC49" class="line" lang="plaintext">1343 if ( internal->txb_prio_tail[0] == 0 ) {</span>
<span id="LC50" class="line" lang="plaintext">1344 /* Notify the stop function all frames were aborted/sent back */</span>
<span id="LC51" class="line" lang="plaintext">1345 rtems_binary_semaphore_post( &chip->stop_sem );</span>
<span id="LC52" class="line" lang="plaintext">1346 }</span>
<span id="LC53" class="line" lang="plaintext"> 2. Condition internal->txb_prio_tail[0] < internal->ntxbufs, taking true branch.</span>
<span id="LC54" class="line" lang="plaintext"> 8. Condition internal->txb_prio_tail[0] < internal->ntxbufs, taking true branch.</span>
<span id="LC55" class="line" lang="plaintext">1347 } else if ( internal->txb_prio_tail[0] < internal->ntxbufs ) {</span>
<span id="LC56" class="line" lang="plaintext">1348 /* We have some space in HW buffers for outgoing messages,</span>
<span id="LC57" class="line" lang="plaintext">1349 * chek whether there is something to send.</span>
<span id="LC58" class="line" lang="plaintext">1350 */</span>
<span id="LC59" class="line" lang="plaintext">1351 ret = rtems_can_queue_test_outslot( qends, &qedge, &slot );</span>
<span id="LC60" class="line" lang="plaintext"> 3. Condition ret >= 0, taking true branch.</span>
<span id="LC61" class="line" lang="plaintext"> 9. Condition ret >= 0, taking true branch.</span>
<span id="LC62" class="line" lang="plaintext">1352 if ( ret >= 0 ) {</span>
<span id="LC63" class="line" lang="plaintext">1353 unsigned int txb_order_idx = internal->txb_prio_tail[0];</span>
<span id="LC64" class="line" lang="plaintext"> 10. assignment: Assigning: txtb_id = ctucanfd_txb_from_order(internal->txb_order, txb_order_idx). The value of txtb_id may now be up to 15.</span>
<span id="LC65" class="line" lang="plaintext">1354 unsigned int txtb_id = ctucanfd_txb_from_order (</span>
<span id="LC66" class="line" lang="plaintext">1355 internal->txb_order,</span>
<span id="LC67" class="line" lang="plaintext">1356 txb_order_idx</span>
<span id="LC68" class="line" lang="plaintext">1357 );</span>
<span id="LC69" class="line" lang="plaintext">1358 ctucanfd_check_state( internal, "before insert_frame" );</span>
<span id="LC70" class="line" lang="plaintext">1359 /* Insert frame to HW buffer */</span>
<span id="LC71" class="line" lang="plaintext">1360 bool ok = ctucanfd_insert_frame( internal, &slot->frame, txtb_id );</span>
<span id="LC72" class="line" lang="plaintext"> 4. Condition ok == 1, taking false branch.</span>
<span id="LC73" class="line" lang="plaintext"> 11. Condition ok == 1, taking true branch.</span>
<span id="LC74" class="line" lang="plaintext">1361 if ( ok == true ) {</span>
<span id="LC75" class="line" lang="plaintext">1362 /* Frame inserted succesfully, update TX buffer representation,</span>
<span id="LC76" class="line" lang="plaintext">1363 * buffer priorities and set buffer as ready.</span>
<span id="LC77" class="line" lang="plaintext">1364 */</span>
<span id="LC78" class="line" lang="plaintext"> 12. alias: Assigning: txb_info = &internal->txb_info[txtb_id]. txb_info may now point to as high as element 15 of internal->txb_info (which consists of 8 8-byte elements).</span>
<span id="LC79" class="line" lang="plaintext">1365 txb_info = &internal->txb_info[txtb_id];</span>
<span id="LC80" class="line" lang="plaintext"> </span>
<span id="LC81" class="line" lang="plaintext">CID 1642617: (#1 of 1): Out-of-bounds write (OVERRUN)</span>
<span id="LC82" class="line" lang="plaintext">13. overrun-local: Overrunning array of 64 bytes at byte offset 120 by dereferencing pointer txb_info.</span>
<span id="LC83" class="line" lang="plaintext">1366 txb_info->edge = qedge;</span>
<span id="LC84" class="line" lang="plaintext">1367 txb_info->slot = slot;</span>
<span id="LC85" class="line" lang="plaintext">1368 ctucanfd_txb_add( internal, txb_order_idx, qedge->edge_prio );</span>
<span id="LC86" class="line" lang="plaintext">1369 ctucanfd_write32(</span>
<span id="LC87" class="line" lang="plaintext">1370 internal,</span>
<span id="LC88" class="line" lang="plaintext">1371 CTUCANFD_TX_PRIORITY,</span>
<span id="LC89" class="line" lang="plaintext">1372 ctucanfd_txb_order2prio( internal->txb_order )</span>
<span id="LC90" class="line" lang="plaintext">1373 );</span>
<span id="LC91" class="line" lang="plaintext">1374 ctucanfd_give_txtb_cmd( internal, TXT_CMD_SET_READY, txtb_id );</span>
<span id="LC92" class="line" lang="plaintext">1375 ctucanfd_give_txtb_cmd( internal, TXT_CMD_SET_READY, txtb_id );</span>
<span id="LC93" class="line" lang="plaintext">1376 ctucanfd_check_state( internal, "after insert_frame succeed" );</span>
<span id="LC94" class="line" lang="plaintext">1377 continue;</span>
<span id="LC95" class="line" lang="plaintext">1378 } else {</span>
<span id="LC96" class="line" lang="plaintext">1379 /* Insert failed, schedule frame for later processing */</span>
<span id="LC97" class="line" lang="plaintext">1380 ctucanfd_check_state( internal, "before insert_frame failed" );</span>
<span id="LC98" class="line" lang="plaintext">1381 rtems_can_queue_push_back_outslot( qends, qedge, slot );</span>
<span id="LC99" class="line" lang="plaintext">1382 }</span>
<span id="LC100" class="line" lang="plaintext">1383 }</span>
<span id="LC101" class="line" lang="plaintext"> 5. Falling through to end of if statement.</span>
<span id="LC102" class="line" lang="plaintext">1384 } else {</span>
<span id="LC103" class="line" lang="plaintext">1385 /* There is no free space in HW buffers. Check whether pending</span>
<span id="LC104" class="line" lang="plaintext">1386 * message has higher priority class then some message in HW buffers.</span>
<span id="LC105" class="line" lang="plaintext">1387 */</span>
<span id="LC106" class="line" lang="plaintext">1388 int pending_prio = -1;</span>
<span id="LC107" class="line" lang="plaintext">1389 int avail_prio;</span>
<span id="LC108" class="line" lang="plaintext">1390 for (</span>
<span id="LC109" class="line" lang="plaintext">1391 avail_prio = 1;</span>
<span id="LC110" class="line" lang="plaintext">1392 avail_prio < RTEMS_CAN_QUEUE_PRIO_NR;</span>
<span id="LC111" class="line" lang="plaintext">1393 avail_prio++</span>
<span id="LC112" class="line" lang="plaintext">1394 ) {</span>
<span id="LC113" class="line" lang="plaintext">1395 if ( internal->txb_prio_tail[avail_prio] < internal->ntxbufs ) {</span>
<span id="LC114" class="line" lang="plaintext">1396 pending_prio = rtems_can_queue_pending_outslot_prio(</span>
<span id="LC115" class="line" lang="plaintext">1397 qends,</span>
<span id="LC116" class="line" lang="plaintext">1398 avail_prio</span>
<span id="LC117" class="line" lang="plaintext">1399 );</span>
<span id="LC118" class="line" lang="plaintext">1400 break;</span>
<span id="LC119" class="line" lang="plaintext">1401 }</span>
<span id="LC120" class="line" lang="plaintext">1402 }</span></code></pre>
<copy-code></copy-code><insert-code-snippet></insert-code-snippet>
</div>
<h2 dir="auto" style="font-size: 1.5em; font-weight: 600; padding-bottom: .3em; border-bottom-width: 1px; border-bottom-color: #bfbfc3; border-bottom-style: solid; color: #28272d; margin: 24px 0 16px;" align="initial">
<a href="#steps-to-reproduce" aria-hidden="true" class="anchor" id="user-content-steps-to-reproduce" style="margin-top: 0; float: left; margin-left: -20px; text-decoration: none; outline: none;"></a>Steps to reproduce</h2>
<h3 dir="auto" style="font-size: 1.3em; margin: 24px 0 0;" align="initial">
<a href="#pre-set-options" aria-hidden="true" class="anchor" id="user-content-pre-set-options" style="margin-top: 0; float: left; margin-left: -20px; text-decoration: none; outline: none;"></a>Pre-set options</h3>
</div>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #737278;">
—
<br>
<a href="https://gitlab.rtems.org/rtems/rtos/rtems/-/issues/5248">View it on GitLab</a>.
<br>
You're receiving this email because of your account on <a target="_blank" rel="noopener noreferrer" href="https://gitlab.rtems.org">gitlab.rtems.org</a>. <a href="https://gitlab.rtems.org/-/sent_notifications/d97d3228accd69ddf475378fc306343d/unsubscribe" target="_blank" rel="noopener noreferrer">Unsubscribe</a> from this thread · <a href="https://gitlab.rtems.org/-/profile/notifications" target="_blank" rel="noopener noreferrer" class="mng-notif-link">Manage all notifications</a> · <a href="https://gitlab.rtems.org/help" target="_blank" rel="noopener noreferrer" class="help-link">Help</a>
<script type="application/ld+json">{"@context":"http://schema.org","@type":"EmailMessage","action":{"@type":"ViewAction","name":"View Issue","url":"https://gitlab.rtems.org/rtems/rtos/rtems/-/issues/5248"}}</script>
</p>
</div>
</body>
</html>