search

eclipse-threadx / levelx

Eclipse ThreadX - LevelX Provides Flash Wear Leveling for FileX and Stand Alone purposes.
https://github.com/eclipse-threadx/rtos-docs/blob/main/rtos-docs/levelx/index.md
MIT License
102 stars 61 forks source link

NULL pointer dereference in _lx_nand_flash_open #45

Open Nick-Sohacki opened 7 months ago

Nick-Sohacki commented 7 months ago

If you call _lx_nand_flash_open twice in a row (without calling _lx_nand_flash_close in between), there is a NULL pointer dereference on line 508:

    /* Place the NAND flash control block on the list of opened NAND flashes.  First,
       check for an empty list.  */
    if (_lx_nand_flash_opened_count)
    {

        /* List is not empty - other NAND flashes are open.  */

        /* Pickup tail pointer.  */
        tail_ptr =  _lx_nand_flash_opened_ptr -> lx_nand_flash_open_previous;

        /* Place the new NAND flash control block in the list.  */
        _lx_nand_flash_opened_ptr -> lx_nand_flash_open_previous =  nand_flash;
        tail_ptr -> lx_nand_flash_open_next =                       nand_flash; <---- NULL pointer dereference here

        /* Setup this NAND flash's opened links.  */
        nand_flash -> lx_nand_flash_open_previous =  tail_ptr;
        nand_flash -> lx_nand_flash_open_next =      _lx_nand_flash_opened_ptr;   
    }

This is because the LX_NAND_FLASH control block is zeroed out at the top of the function.