WICED 6.0 (back to 3.7.0): ring_buffer_read() race doncition when setting max_bytes_to_read

Tip / Sign in to post questions, reply, level up, and achieve exciting badges. Know more

cross mob
dast_1961951
Level 4
Level 4
10 likes received First like received

problematic code:

#define MIN(x,y)  ((x) < (y) ? ( x 😞 (y))

    /* Calculate the amount of data to read out of the buffer */

    max_bytes_to_read = MIN(data_length, ring_buffer_used_space(ring_buffer));

The MIN macro ensures that the given y value (a function in this case) is executed twice instead of once.   It is possible for interrupts to intercede and modify the ring buffer result. 

In this case, the ring buffer could grow to a size larger than data_length and overrun the passed in buffer.

does this problem exist with other calls of MIN() macro?

fix:

    used_space = ring_buffer_used_space(ring_buffer);

    /* Calculate the amount of data to read out of the buffer */

    max_bytes_to_read = MIN(data_length, used_space);

0 Likes
0 Replies