0 Replies Latest reply on Nov 2, 2017 11:48 AM by dast_1961951

    WICED 6.0 (back to 3.7.0):  ring_buffer_read() race doncition when setting max_bytes_to_read

    dast_1961951

      problematic code:

       

       

      #define MIN(x,y)  ((x) < (y) ? ( x ): (y))

          /* Calculate the amount of data to read out of the buffer */

          max_bytes_to_read = MIN(data_length, ring_buffer_used_space(ring_buffer));

       

       

       

      The MIN macro ensures that the given y value (a function in this case) is executed twice instead of once.   It is possible for interrupts to intercede and modify the ring buffer result. 

       

      In this case, the ring buffer could grow to a size larger than data_length and overrun the passed in buffer.

       

      does this problem exist with other calls of MIN() macro?

       

       

      fix:

       

       

       

          used_space = ring_buffer_used_space(ring_buffer);

       

       

          /* Calculate the amount of data to read out of the buffer */

          max_bytes_to_read = MIN(data_length, used_space);