Check for illegal address range in io/flash

Øyvind Harboe Tue, 11 Dec 2007 01:02:41 -0800

io/flash has a broken address range check for flash_erase(). There is no address
range check for flash_program_buf().


This patch adds address range check & returns error if the address is invalid.

Alternatively, address range checks could be left to higher level code and the
broken flash_erase() addreess range check can be removed.

Or alternatively, I'm about to get egg all over my face and hopefully someone
will take pity and tell me what's really happening here.  :-)

-- 
Øyvind Harboe
http://www.zylin.com - eCos ARM & FPGA  developer kit

### Eclipse Workspace Patch 1.0
#P ecos
Index: io/flash/current/ChangeLog
===================================================================
RCS file: /cvs/ecos/ecos/packages/io/flash/current/ChangeLog,v
retrieving revision 1.43
diff -u -r1.43 ChangeLog
--- io/flash/current/ChangeLog  25 Feb 2006 14:07:43 -0000      1.43
+++ io/flash/current/ChangeLog  11 Dec 2007 08:57:50 -0000
@@ -1,3 +1,8 @@
+2007-12-11  Oyvind Harboe  <[EMAIL PROTECTED]>
+
+       * src/flash.c: flase_erase/flash_program_buf: return error for illegal 
+       address ranges.
+
 2006-02-21  Oliver Munz  <[EMAIL PROTECTED]>
            Andrew Lunn  <[EMAIL PROTECTED]>
 
Index: io/flash/current/src/flash.c
===================================================================
RCS file: /cvs/ecos/ecos/packages/io/flash/current/src/flash.c,v
retrieving revision 1.27
diff -u -r1.27 flash.c
--- io/flash/current/src/flash.c        25 Feb 2006 14:07:43 -0000      1.27
+++ io/flash/current/src/flash.c        11 Dec 2007 08:57:51 -0000
@@ -179,14 +179,15 @@
 
      _flash_erase_block = (code_fun*) __anonymizer(&flash_erase_block);
 
+    // Return error for illegal addresses
+    if ((addr<flash_info.start)||(addr>flash_info.end))
+       return FLASH_ERR_INVALID;
+    if ((((cyg_uint8 *)addr)+len)>(cyg_uint8 *)flash_info.end)
+       return FLASH_ERR_INVALID;
+     
     block = (unsigned short *)((CYG_ADDRESS)addr & flash_info.block_mask);
     end_addr = (unsigned short *)((CYG_ADDRESS)addr+len);
 
-    /* Check to see if end_addr overflowed */
-    if( (end_addr < block) && (len > 0) ){
-        end_addr = (unsigned short *) ((CYG_ADDRESS) flash_info.end - 1);
-    }
-
 #ifdef CYGSEM_IO_FLASH_CHATTER
     (*flash_info.pf)("... Erase from %p-%p: ", (void*)block, (void*)end_addr);
 #endif
@@ -257,6 +258,12 @@
     if (!flash_info.init) {
         return FLASH_ERR_NOT_INIT;
     }
+    
+    // Return error for illegal addresses
+    if ((addr<flash_info.start)||(addr>flash_info.end))
+       return FLASH_ERR_INVALID;
+    if ((((cyg_uint8 *)addr)+len)>(cyg_uint8 *)flash_info.end)
+       return FLASH_ERR_INVALID;
 
 #ifdef CYGSEM_IO_FLASH_SOFT_WRITE_PROTECT
     if (plf_flash_query_soft_wp(addr,len))

Check for illegal address range in io/flash

Reply via email to