0 Replies Latest reply on Nov 2, 2017 11:48 AM by DaveStude

    WICED 6.0 (back to 3.7.0):  ring_buffer_read() race doncition when setting max_bytes_to_read

    DaveStude

      problematic code:

       

       

      #define MIN(x,y)  ((x) < (y) ? ( x ): (y))

          /* Calculate the amount of data to read out of the buffer */

          max_bytes_to_read = MIN(data_length, ring_buffer_used_space(ring_buffer));

       

       

       

      The MIN macro ensures that the given y value (a function in this case) is executed twice instead of once.   It is possible for interrupts to intercede and modify the ring buffer result. 

       

      In this case, the ring buffer could grow to a size larger than data_length and overrun the passed in buffer.

       

      does this problem exist with other calls of MIN() macro?

       

       

      fix:

       

       

       

          used_space = ring_buffer_used_space(ring_buffer);

       

       

          /* Calculate the amount of data to read out of the buffer */

          max_bytes_to_read = MIN(data_length, used_space);