search

Wiznet / ioLibrary_Driver

ioLibrary_Driver can be used for the application design of WIZnet TCP/IP chips as W5500, W5300, W5200, W5100 W5100S.
MIT License
612 stars 333 forks source link

It occurs Global memory Buffer Overrun #140

Open nsicko42 opened 12 months ago

nsicko42 commented 12 months ago

in socket() function.

CHECK_SOCKNUM() Macro try to checks that socket number is no more 4 like a below.

#define CHECK_SOCKNUM()   \
    do{                    \
        if(sn > _WIZCHIP_SOCK_NUM_) return SOCKERR_SOCKNUM;   \
    }while(0);             \

but sn > _WIZCHIP_SOCK_NUM_ means that socket number is not more than 4. it means that is effective 0, 1, 2, 3 and 4.

This code occurs global memory buffer overrun by sock_pack_info[sn] = 0;. Because size of sock_pack_info is 4. What happens memory access by sock_pack_info[4]?

If I correct, you should be like this.

#define CHECK_SOCKNUM()   \
    do{                    \
        if(sn >= _WIZCHIP_SOCK_NUM_) return SOCKERR_SOCKNUM;   \
    }while(0);             \