You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The nuttx implementation of flash_area_get_sectors runs a loop from 0 to fa->fa_size, writing sector entries into sectors[] and incrementing a local variable total_count for the array index.
It does not, however, check that total_count does not exceed the provided *count (which has been set by the caller to BOOT_MAX_IMG_SECTORS.)
I think this means that if BOOT_MAX_IMG_SECTORS is configured too small, flash_area_get_sectors will write past the end of the sectors[] array. There may be other checks which might catch this, but they seem to be run AFTER flash_area_get_sectors, which means that the memory corruption will have already occurred.
IME it's actually pretty easy to have BOOT_MAX_IMG_SECTORS configured too low, and one expects the ""Failed reading sectors; BOOT_MAX_IMG_SECTORS=%d - too small?" error from much higher up the stack, however if a buffer's been blown before then it might not be reliable.
Because the Nuttx code is using uniform sector sizes, this error situation could be pre-calculated, but if one wanted to protect the loop structure in case of future generalisation (partly because the Nuttx code is a great general porting reference), then the loop could have something like this added:
for (off = 0; off < fa->fa_size; off += sector_size)
{
/* Note: Offset here is relative to flash area, not device */
sectors[total_count].fs_off = off;
sectors[total_count].fs_size = sector_size;
total_count++;
/* New code below */
if(total_count >= *count)
{
return ERROR;
}
}
Happy to file a PR if that's useful (and I'm not completely off-track here).
The text was updated successfully, but these errors were encountered:
The nuttx implementation of
flash_area_get_sectorsruns a loop from 0 tofa->fa_size, writing sector entries intosectors[]and incrementing a local variabletotal_countfor the array index.It does not, however, check that
total_countdoes not exceed the provided*count(which has been set by the caller toBOOT_MAX_IMG_SECTORS.)I think this means that if
BOOT_MAX_IMG_SECTORSis configured too small,flash_area_get_sectorswill write past the end of thesectors[]array. There may be other checks which might catch this, but they seem to be run AFTERflash_area_get_sectors, which means that the memory corruption will have already occurred.IME it's actually pretty easy to have
BOOT_MAX_IMG_SECTORSconfigured too low, and one expects the ""Failed reading sectors; BOOT_MAX_IMG_SECTORS=%d - too small?" error from much higher up the stack, however if a buffer's been blown before then it might not be reliable.Because the Nuttx code is using uniform sector sizes, this error situation could be pre-calculated, but if one wanted to protect the loop structure in case of future generalisation (partly because the Nuttx code is a great general porting reference), then the loop could have something like this added:
Happy to file a PR if that's useful (and I'm not completely off-track here).
The text was updated successfully, but these errors were encountered: