This is the mail archive of the ecos-devel@sources.redhat.com mailing list for the eCos project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: possible bug in compactflash device

From: Savin Zlobec <savin at elatec dot si>
To: Daniel dot Schmidt3 at gmx dot de
Cc: ecos-devel at sources dot redhat dot com
Date: Wed, 19 May 2004 10:59:22 +0200
Subject: Re: possible bug in compactflash device

hello all,

possible stack-overwrite in: /devs/disk/v85x/edb_v850/current/source/v85x_edb_v850_disk.c

read_data: always reads 512 byte=0x200 bytes in buf

cf_disk_init: call read_data with len=sizeof(cf_ata_identify_data_t)=0x8C bytes an a buffer with only 0x8c bytes so the stack will be destroyed

but I think the problem is in cf_ata.h the last line auf cf_ata_identify_data_t should not be a comment

bye daniel

You are right. There is some bitrot in this driver, the driver interfaces were changed when the code was commited to CVS and nobody thoroughly tested this driver - I'am probably the only one using it in its original state and I still use the pre CVS version.

I've attached the original driver source - as you can see there were more
parameters  to read_data and write_data and the len parameter was
used when reading/writting.

I think that the lenght test in read_data loop should solve the above problem:

for (i = 0; i < 512; i += 2)
{
   cyg_uint16 data;
   HAL_READ_UINT16(base + 4, data);
   if (i < len)
      *bufp++ = data;
}

I'll try to find some time and make a test drive :-)

savin

Follow-Ups:
- Re: possible bug in compactflash device
  - From: Savin Zlobec

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]