From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lukasz Majewski Date: Fri, 12 Jul 2013 22:48:16 +0200 Subject: [U-Boot] [PATCH] Fix memory stomper in DFU. Loop NULL-initted one past allocated array size. In-Reply-To: <1373651331-15969-1-git-send-email-mboards@prograde.net> References: <1373651331-15969-1-git-send-email-mboards@prograde.net> Message-ID: <20130712224816.49e1f549@jawa> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Fri, 12 Jul 2013 13:48:51 -0400 mboards at prograde.net wrote: Hi Michael, > From: Michael Cashwell > > The memory layout arranged itself such that a long-standing memory > stomper in a DFU prepare callback used during USB registration > mangled the malloc heap enough to cause my board to panic much later > in a call to free(). Since it hadn't happened before but was > repeatable I decided to investigate before it vanished again. > > The actual stomp happened in this line after the for loop: > f_dfu->function[i] = NULL; Thanks for investigation, but I've already fixed that: dfu:function: Fix number of allocated DFU function pointers SHA1: e059a400ad780328cd5ad22c396298cac520c856 This patch has been included to v2013.07-rc2. > > git blame says this code was introduced here: > b819ddbf (Lukasz Majewski 2012-08-06 14:41:06 +0200 587) > > I'm not sure if the function[] array actually needs a NULL entry at > the end. If so then this patch is the right fix. If it really always > knows the last array index and doesn't need the NULL then removing > the offending assignment would be better. Not knowing makes this > patch safer. > > Signed-off-by: Michael Cashwell > --- > drivers/usb/gadget/f_dfu.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c > index a322ae5..b24de09 100644 > --- a/drivers/usb/gadget/f_dfu.c > +++ b/drivers/usb/gadget/f_dfu.c > @@ -589,7 +589,7 @@ static int dfu_prepare_function(struct f_dfu > *f_dfu, int n) struct usb_interface_descriptor *d; > int i = 0; > > - f_dfu->function = calloc(sizeof(struct usb_descriptor_header > *), n); > + f_dfu->function = calloc(sizeof(struct usb_descriptor_header > *), n + 1); if (!f_dfu->function) > goto enomem; > Anyway its nice to hear, that +1 user of DFU is out there :-) Best regards, Lukasz Majewski -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 198 bytes Desc: not available URL: