#13 ioman_releaseSector sign error

open
nobody
None
5
2006-12-10
2006-12-10
No

Hello,

In src/ioman.c ioman_releaseSector calls ioman_getBp and stores the return value in euint16 bp (an unsigned value). This is an error as ioman_getBp may return -1. The code currently reads:

euint16 bp;

bp=ioman_getBp(ioman,buf);
ioman_decUseCnt(ioman,bp);

if(ioman_getUseCnt(ioman,bp)==0 && ioman->itptr[bp]!=0){
...
}

The unchecked use of bp in ioman->itptr[bp] will lead to memory violations. Instead, this should be changed something like:

esint16 bp;

bp=ioman_getBp(ioman,buf);
ioman_decUseCnt(ioman,bp);

if(ioman_getUseCnt(ioman,bp)==0 && bp >= 0){
if(ioman->itptr[bp]!=0){
...
}
}

This bug is present in stable version 0.2.8 and in the development version 0.3.5. This caused segfaults on an lpc2148 I am developing. Thank you.

Carrick

Discussion


Log in to post a comment.