Buffer overrun in stm32f7xx_hal_sd.c

[mavstuff]

Describe the set-up The board is STM32F769I-DISCO. The IDE is OpenSTM32. Using CubeMX 5.3.0 with FreeRTOS with FATFS and SD card DMA template. HAL version is 1.16.1.

Describe the bug The bug appears from time-to time as the system falling into Hard Fault for no apparent reason.

In the file stm32f7xx_hal_sd.c there is a function static uint32_t SD_FindSCR(SD_HandleTypeDef hsd, uint32_t pSCR)

which has the followng code:

  while(!__HAL_SD_GET_FLAG(hsd, SDMMC_FLAG_RXOVERR | SDMMC_FLAG_DCRCFAIL | SDMMC_FLAG_DTIMEOUT | SDMMC_FLAG_DBCKEND))
  {
    if(__HAL_SD_GET_FLAG(hsd, SDMMC_FLAG_RXDAVL))
    {
      *(tempscr + index) = SDMMC_ReadFIFO(hsd->Instance);
      index++;
    }

    if((HAL_GetTick() - tickstart) >=  SDMMC_DATATIMEOUT)
    {
      return HAL_SD_ERROR_TIMEOUT;
    }
  }

Please note that *(tempscr + index) may overflow as tempscr is only two elements long and the loop never checks for an array boundary.

Also, there are two more places worth fixing for buffer overrun which use SDMMC_ReadFIFO(hsd->Instance) in the same file. But they are not used in the DMA template.

Pull request created: https://github.com/STMicroelectronics/STM32CubeF7/pull/55

[RKOUSTM]

Duplicate of #55.

[RKOUSTM]

Hi @mavstuff,

Thank you for your report. This request will be forwarded to our development teams for deeper analysis. We will be back to you as soon as they provide me with their answer.

This duplicated issue will remain closed. The pull-request #55 that you reported will be kept open to track the point.

Thank you for you again for your report.

With regards,

[mavstuff]

thank you