search

eclipse-threadx / levelx

Eclipse ThreadX - LevelX Provides Flash Wear Leveling for FileX and Stand Alone purposes.
https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/levelx/index.md
MIT License
102 stars 61 forks source link

Possible array out of bound in lx_nor_flash_extended_cache array #11

Closed Eladov closed 3 years ago

Eladov commented 3 years ago

The function _lx_nor_flash_driver_read has a section that iterates over the lx_nor_flash_extended_cache array

https://github.com/azure-rtos/levelx/blob/61f92c00c74ebe8c5798652b756115cc8995b894/common/src/lx_nor_flash_driver_read.c#L107-L155

this Array is of size LX_NOR_EXTENDED_CACHE_SIZE which is set to 8, but the for loop iterates till lx_nor_flash_extended_cache_entries

the lx_nor_flash_extended_cache_entries value is set in the _lx_nor_flash_extended_cache_enable function, and is basically the number of sector sized chunks from the given ram Cache

https://github.com/azure-rtos/levelx/blob/61f92c00c74ebe8c5798652b756115cc8995b894/common/src/lx_nor_flash_extended_cache_enable.c#L117-L139

If the user gives a cache in the size of more than LX_NOR_EXTENDED_CACHE_SIZE sectors this may lead to exceeding the size of the lx_nor_flash_extended_cache array.

Maybe some sort of input validation should be added to make sure the given ram memory isn't too big?

bhnaphade commented 3 years ago

Thank you for the feedback. We will review this internally

bhnaphade commented 3 years ago

We have added a check for boundary and the fix will be available in the next release.

Eladov commented 3 years ago

Thanks