Skip to content

Commit

Permalink
Merge pull request #208 from gsmcmullin/mem_packet_range_check
Browse files Browse the repository at this point in the history
Add range checking on mem access packets.
  • Loading branch information
gsmcmullin authored Apr 18, 2017
2 parents 25f5efd + bd2cfe7 commit 06bf37f
Showing 1 changed file with 12 additions and 0 deletions.
12 changes: 12 additions & 0 deletions src/gdb_main.c
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,10 @@ int gdb_main_loop(struct target_controller *tc, bool in_syscall)
uint32_t addr, len;
ERROR_IF_NO_TARGET();
sscanf(pbuf, "m%" SCNx32 ",%" SCNx32, &addr, &len);
if (len > sizeof(pbuf) / 2) {
gdb_putpacketz("E02");
break;
}
DEBUG("m packet: addr = %" PRIx32 ", len = %" PRIx32 "\n", addr, len);
uint8_t mem[len];
if (target_mem_read(cur_target, mem, addr, len))
Expand All @@ -136,6 +140,10 @@ int gdb_main_loop(struct target_controller *tc, bool in_syscall)
int hex;
ERROR_IF_NO_TARGET();
sscanf(pbuf, "M%" SCNx32 ",%" SCNx32 ":%n", &addr, &len, &hex);
if (len > (unsigned)(size - hex) / 2) {
gdb_putpacketz("E02");
break;
}
DEBUG("M packet: addr = %" PRIx32 ", len = %" PRIx32 "\n", addr, len);
uint8_t mem[len];
unhexify(mem, pbuf + hex, len);
Expand Down Expand Up @@ -251,6 +259,10 @@ int gdb_main_loop(struct target_controller *tc, bool in_syscall)
int bin;
ERROR_IF_NO_TARGET();
sscanf(pbuf, "X%" SCNx32 ",%" SCNx32 ":%n", &addr, &len, &bin);
if (len > (unsigned)(size - bin)) {
gdb_putpacketz("E02");
break;
}
DEBUG("X packet: addr = %" PRIx32 ", len = %" PRIx32 "\n", addr, len);
if (target_mem_write(cur_target, addr, pbuf+bin, len))
gdb_putpacketz("E01");
Expand Down

0 comments on commit 06bf37f

Please sign in to comment.