buffer overrun in rtems_rfs_bitmap_create_search()
Walter Lee
waltl at google.com
Mon Jun 4 19:27:41 UTC 2018
Hi Gedare. Thanks for the response. I am using a snapshot of RTEMS
provided by a third party, based on commit #821acce on master. The
bug should still be there on the tip of master and on 4.11 (and
probably 4.10 also, but that version seems to be missing another
patch).
I've updated the patch to master, and also added a test.
Thanks,
Walter
On Mon, Jun 4, 2018 at 9:55 AM Gedare Bloom <gedare at rtems.org> wrote:
>
> Hello Walter,
>
> Thank you for the bug report and patch. The patch is outdated, what
> version of RTEMS are you using? I think the problem also affects the
> master branch, but we need a ticket for each affected open branch.
>
> The fix looks OK to me, but I'd like Chris Johns to approve it. I
> assigned the ticket to him.
>
> Gedare
>
> On Wed, May 30, 2018 at 1:24 PM, Walter Lee <waltl at google.com> wrote:
> > Hi. I am encountering a buffer overrun in
> > rtems_rfs_bitmap_create_search(). It seems that whenever the bitmap
> > uses the last bit of its search_map (i.e. (control->size + 31) % 32 ==
> > 32)), the loop will write to the word one beyond the end of
> > search_map.
> >
> > I filed a bug at https://devel.rtems.org/ticket/3439, with a patch
> > that fixes the problem.
> >
> > Please let me know if I'm missing something, and if not what I need to
> > do to get this fixed.
> >
> > Thanks,
> >
> > Walter
> > _______________________________________________
> > devel mailing list
> > devel at rtems.org
> > http://lists.rtems.org/mailman/listinfo/devel
More information about the devel
mailing list