#595 closed defect (fixed)

Buffer overrun in sp13

Reported by: querbach Owned by: Joel Sherrill
Priority: lowest Milestone: 2
Component: unspecified Version: 4.6
Severity: normal Keywords:
Cc: bugs@… Blocked By:
Blocking:

Description

Fill_buffer() in fillbuff.c overruns the supplied buffer due to confusion in the definition of MESSAGE_SIZE. Some files in the sp13 test treat MESSAGE_SIZE as a count of bytes, others treat it as a count of longs.

Release:
RTEMS Version 4.6.99.0 (Snapshot as of 20040318)

Environment:
Intec SS555 (MPC5xx) port.
Built under Debian 3.0.

How-To-Repeat:
Run sp13 on a system with something important just after the buffer.

Attachments (1)

rtems-20040318-sp13-fix.patch (4.6 KB) - added by querbach on Dec 3, 2006 at 1:31:12 PM.
rtems-20040318-sp13-fix.patch

Download all attachments as: .zip

Change History (3)

comment:1 Changed on Mar 30, 2004 at 6:50:19 PM by Joel Sherrill

Status: assignedclosed

State-Changed-From-To: open->closed
State-Changed-Why: Patch applied to CVS trunk and 4.6 branch.

This problem has lurked a long time since this test was created in the days when messages were 16 bytes (4 u32's) long per RTEID The conversion must have missed the overwrite of the buffer and no one ever got as unlucky as you did with memory layout.

Changed on Dec 3, 2006 at 1:31:12 PM by querbach

rtems-20040318-sp13-fix.patch

comment:2 Changed on Oct 10, 2017 at 6:46:55 AM by Sebastian Huber

Component: testingunspecified
Note: See TracTickets for help on using tickets.