[Openocd-development] [PATCH] ft2232: fix possible read buffer overflow

[Mathias K.]

Hello,


i have done more tests on this issue and i have create the patch bellow.



Regards,

Mathias

>From f2ecac695568717b953c0a323ac683e28108f11f Mon Sep 17 00:00:00 2001
From: Mathias K. <kes...@freenet.de>
Date: Thu, 24 Feb 2011 12:53:52 +0100
Subject: [PATCH] ft2232: fix possible read buffer overflow

This patch fix a possible read buffer overflow in ft2232_execute_queue.
Also the correct read queue size for libftdi and libftd2xx was added and
and tested.
In function ft2232_write a uninitialized value was initialized because we
don't know if this value was set in the ftdi api call.
---
 src/jtag/drivers/ft2232.c |   20 +++++++++++++++++---
 1 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/src/jtag/drivers/ft2232.c b/src/jtag/drivers/ft2232.c
index 9024f8e..a84d069 100644
--- a/src/jtag/drivers/ft2232.c
+++ b/src/jtag/drivers/ft2232.c
@@ -373,6 +373,12 @@ static int             require_send;
        a comment would have been nice.
 */
 
+#if BUILD_FT2232_FTD2XX == 1
+#define FT2232_BUFFER_READ_QUEUE_SIZE  (64*64)
+#else
+#define FT2232_BUFFER_READ_QUEUE_SIZE  (64*4)
+#endif
+
 #define FT2232_BUFFER_SIZE 131072
 
 static uint8_t*             ft2232_buffer = NULL;
@@ -499,7 +505,7 @@ static int ft2232_write(uint8_t* buf, int size, uint32_t* 
bytes_written)
 {
 #if BUILD_FT2232_FTD2XX == 1
        FT_STATUS status;
-       DWORD dw_bytes_written;
+       DWORD dw_bytes_written = 0;
        if ((status = FT_Write(ftdih, buf, size, &dw_bytes_written)) != FT_OK)
        {
                *bytes_written = dw_bytes_written;
@@ -2081,12 +2087,20 @@ static int ft2232_execute_queue(void)
 
        while (cmd)
        {
+               /* fill the write buffer with the desired command */
                if (ft2232_execute_command(cmd) != ERROR_OK)
                        retval = ERROR_JTAG_QUEUE_FAILED;
-               /* Start reading input before FT2232 TX buffer fills up */
+               /* Start reading input before FT2232 TX buffer fills up.
+                * Sometimes this happens because we don't know the
+                * length of the last command before we execute it. So
+                * we simple inform the user.
+                */
                cmd = cmd->next;
-               if (ft2232_expect_read > 256)
+
+               if (ft2232_expect_read >= FT2232_BUFFER_READ_QUEUE_SIZE )
                {
+                       if (ft2232_expect_read > 
(FT2232_BUFFER_READ_QUEUE_SIZE+1) )
+                               LOG_WARNING("read buffer size looks to high");
                        if (ft2232_send_and_recv(first_unsent, cmd) != ERROR_OK)
                                retval = ERROR_JTAG_QUEUE_FAILED;
                        first_unsent = cmd;
-- 
1.7.3.4


_______________________________________________
Openocd-development mailing list
Openocd-development@lists.berlios.de
https://lists.berlios.de/mailman/listinfo/openocd-development