[ECOS] bug in eth_drv_send (memory overwrite)
Gary Thomas
gary@mlbassoc.com
Wed Jan 18 14:57:00 GMT 2006
On Wed, 2006-01-18 at 15:43 +0100, Deak, Ferenc wrote:
> >
> > But the check is made *after* the list length has been incremented. It
> > is valid for sg_len to be equal to MAX_ETH_DRV_SG at this point.
>
> Put a line
> if (sg_len == MAX_ETH_DRV_SG) diag_print("ARRAY OVERWRITE\n");
> after writing sg_list.
>
> exactly:
>
> 693: sg_list[sg_len].buf = (CYG_ADDRESS)data;
> 694: sg_list[sg_len].len = len; // !!!!!! largest sg_len here is MAX_ETH_DRV_SG
> new: if (sg_len == MAX_ETH_DRV_SG) diag_print("ARRAY OVERWRITE\n");
>
> Sorry if I'm wrong.
Fair enough - it can go through here too many times :-(
The check should be:
if (m->m_next && (MAX_ETH_DRV_SG <= sg_len )) {
Otherwise, it would error out if your mbuf chain was exactly
MAX_ETH_DRV_SG buffers long.
Can you provide a test case that causes such mbuf fragmentation?
--
------------------------------------------------------------
Gary Thomas | Consulting for the
MLB Associates | Embedded world
------------------------------------------------------------
--
Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss
More information about the Ecos-discuss
mailing list