3 Replies Latest reply on Dec 21, 2011 7:50 PM by kartik.mankad

    Bootloader failure bug

    user_10802449

      I found a way to crash the bootloader when using the I2C interface.  In fact, this should affect any bootloader.  The CYBTLDR_COMMAND_DATA command does not restrict the user from appending data past the dataBuffer boundary.  This will cause unexpected behavior.  In the case of my I2C bootloader, I2C NAKs data from all further transfers, preventing it from performing any command.  Although this can be considered an user error, but the result is a complete failure, which is unacceptable for a bootloader.

         

       

         

       

         

      Original code:

         

       

         

      case CYBTLDR_COMMAND_DATA:

         

                          /* We have part of a block of data. */

         

                          ackCode = CYRET_SUCCESS;

         

                          memcpy(&dataBuffer[dataOffset], &packetBuffer[CYBTLDR_DATA_ADDR], pktSize);

         

                          dataOffset += pktSize;

         

                          break;

         

       

         

      New code:

         

       

         

      case CYBTLDR_COMMAND_DATA:

         

                          /* We have part of a block of data. */

         

                          ackCode = CYRET_SUCCESS;

         

                          if ( (dataOffset + pktSize) < SIZEOF_COMMAND_BUFFER )

         

                          {

         

                              memcpy(&dataBuffer[dataOffset], &packetBuffer[CYBTLDR_DATA_ADDR], pktSize);

         

                              dataOffset += pktSize;

         

                          }

         

                          else

         

                          {

         

                              ackCode = CYRET_ERR_LENGTH;

         

                          }

         

                          

         

                          break;