Patchwork [U-Boot] dfu:function: Fix number of allocated DFU function pointers

login
register
mail settings
Submitter Łukasz Majewski
Date June 26, 2013, 9:46 a.m.
Message ID <1372239973-25200-1-git-send-email-l.majewski@samsung.com>
Download mbox | patch
Permalink /patch/254678/
State Awaiting Upstream
Delegated to: Marek Vasut
Headers show

Comments

Łukasz Majewski - June 26, 2013, 9:46 a.m.
This subtle change fix problem with too small amount of allocated
memory to store DFU function pointers.

One needs to allocate extra space for sentinel NULL pointer in this array
of function pointers.

With the previous code, the NULL value overwrites malloc internal data
and afterwards free(f_dfu->function) crashes.

Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
Cc: Marek Vasut <marex@denx.de>
---
 drivers/usb/gadget/f_dfu.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Heiko Schocher - June 26, 2013, 11:35 a.m.
Hello Lukasz,

Am 26.06.2013 11:46, schrieb Lukasz Majewski:
> This subtle change fix problem with too small amount of allocated
> memory to store DFU function pointers.
> 
> One needs to allocate extra space for sentinel NULL pointer in this array
> of function pointers.
> 
> With the previous code, the NULL value overwrites malloc internal data
> and afterwards free(f_dfu->function) crashes.
> 
> Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
> Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
> Cc: Marek Vasut <marex@denx.de>
> ---
>  drivers/usb/gadget/f_dfu.c |    2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Acked-by: Heiko Schocher <hs@denx.de>

Thanks!

bye,
Heiko
Marek Vasut - June 26, 2013, 12:07 p.m.
Dear Heiko Schocher,

> Hello Lukasz,
> 
> Am 26.06.2013 11:46, schrieb Lukasz Majewski:
> > This subtle change fix problem with too small amount of allocated
> > memory to store DFU function pointers.
> > 
> > One needs to allocate extra space for sentinel NULL pointer in this array
> > of function pointers.
> > 
> > With the previous code, the NULL value overwrites malloc internal data
> > and afterwards free(f_dfu->function) crashes.
> > 
> > Signed-off-by: Lukasz Majewski <l.majewski@samsung.com>
> > Signed-off-by: Kyungmin Park <kyungmin.park@samsung.com>
> > Cc: Marek Vasut <marex@denx.de>
> > ---
> > 
> >  drivers/usb/gadget/f_dfu.c |    2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> Acked-by: Heiko Schocher <hs@denx.de>

Applied, thanks

Best regards,
Marek Vasut

Patch

diff --git a/drivers/usb/gadget/f_dfu.c b/drivers/usb/gadget/f_dfu.c
index 178a004..e3fa0e3 100644
--- a/drivers/usb/gadget/f_dfu.c
+++ b/drivers/usb/gadget/f_dfu.c
@@ -589,7 +589,7 @@  static int dfu_prepare_function(struct f_dfu *f_dfu, int n)
 	struct usb_interface_descriptor *d;
 	int i = 0;
 
-	f_dfu->function = calloc(sizeof(struct usb_descriptor_header *), n);
+	f_dfu->function = calloc(sizeof(struct usb_descriptor_header *), n + 1);
 	if (!f_dfu->function)
 		goto enomem;