#3439 accepted defect

buffer overflow in rtems_rfs_bitmap_create_search()

Reported by: waltl Owned by: Chris Johns
Priority: normal Milestone:
Component: fs/rfs Version:
Severity: normal Keywords:
Cc: Blocked By:


I am encountering a buffer overrun in rtems_rfs_bitmap_create_search(). It seems that whenever the bitmap uses the last bit of its search_map (i.e. (control->size + 31) % 32 == 32)), the loop will write to the word one beyond the end of search_map.

Attached is a simple patch that fixes the problem.

Attachments (1)

0001-Bitmap-bug-fix.patch (3.4 KB) - added by waltl on 06/04/18 at 19:25:10.
updated patch fix with test

Download all attachments as: .zip

Change History (6)

comment:1 Changed on 05/30/18 at 17:15:06 by waltl

Component: adminfs/rfs

comment:2 Changed on 06/04/18 at 13:42:30 by Gedare Bloom

What version is this affecting? The patch is a bit outdated with respect to master branch. Do you have a test case by any chance?

comment:3 Changed on 06/04/18 at 13:53:44 by Gedare Bloom

Owner: set to Chris Johns
Status: newassigned

Changed on 06/04/18 at 19:25:10 by waltl

Attachment: 0001-Bitmap-bug-fix.patch added

updated patch fix with test

comment:4 Changed on 06/04/18 at 19:25:49 by waltl

I am using a snapshot of RTEMS provided by a third party, based on commit #821acce on master. The bug should still be there on the tip of master and on 4.11 (and probably 4.10 also, but that version seems to be missing another patch).

I've updated the patch to master, and also added a test.

comment:5 Changed on 06/06/18 at 03:31:06 by Chris Johns

Status: assignedaccepted
Note: See TracTickets for help on using tickets.