![[RTEMS Logo]](/images/logo.png){kind=logo}
Opened on 05/30/18 at 17:12:49
Last modified on 06/06/18 at 03:31:06
#3439 accepted defect
buffer overflow in rtems_rfs_bitmap_create_search()
| Reported by: | waltl | Owned by: | Chris Johns |
|---|---|---|---|
| Priority: | normal | Milestone: | |
| Component: | fs/rfs | Version: | |
| Severity: | normal | Keywords: | |
| Cc: | Blocked By: | ||
| Blocking: |
Description
I am encountering a buffer overrun in rtems_rfs_bitmap_create_search(). It seems that whenever the bitmap uses the last bit of its search_map (i.e. (control->size + 31) % 32 == 32)), the loop will write to the word one beyond the end of search_map.
Attached is a simple patch that fixes the problem.
Attachments (1)
Change History (6)
comment:1 Changed on 05/30/18 at 17:15:06 by waltl
| Component: | admin → fs/rfs |
|---|
comment:2 Changed on 06/04/18 at 13:42:30 by Gedare Bloom
comment:3 Changed on 06/04/18 at 13:53:44 by Gedare Bloom
| Owner: | set to Chris Johns |
|---|---|
| Status: | new → assigned |
Changed on 06/04/18 at 19:25:10 by waltl
| Attachment: | 0001-Bitmap-bug-fix.patch added |
|---|
updated patch fix with test
comment:4 Changed on 06/04/18 at 19:25:49 by waltl
I am using a snapshot of RTEMS provided by a third party, based on commit #821acce on master. The bug should still be there on the tip of master and on 4.11 (and probably 4.10 also, but that version seems to be missing another patch).
I've updated the patch to master, and also added a test.
comment:5 Changed on 06/06/18 at 03:31:06 by Chris Johns
| Status: | assigned → accepted |
|---|
Note: See
TracTickets for help on using
tickets.
What version is this affecting? The patch is a bit outdated with respect to master branch. Do you have a test case by any chance?