Mirrors_Framework/nuttx
1
0
Fork 0
mirror of https://github.com/apache/nuttx.git synced 2026-05-28 11:56:10 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

If size is greater than (UINT32_MAX - SIZEOF_MM_ALLOCNODE), malloc size can be overflow by MM_ALIGN_UP macro. For example, if task_create() called with stack_size == -1, up_create_stack() functions allocates SIZEOF_MM_ALLOCNODE bytes for stack.

Browse Source 
This can cause data abort in up_stack_color() function.
This commit is contained in:
EunBong Song
2017-10-17 06:37:09 -06:00
committed by Gregory Nutt
parent 5d6ecfa3ca
commit 196911d4fa
1 changed files with 7 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
mm/mm_heap/mm_malloc.c
+7 -2
View File
@@ -1,7 +1,8 @@
/**************************************************************************** /****************************************************************************
* mm/mm_heap/mm_malloc.c * mm/mm_heap/mm_malloc.c
* *
* Copyright (C) 2007, 2009, 2013-2014 Gregory Nutt. All rights reserved. * Copyright (C) 2007, 2009, 2013-2014, 2017 Gregory Nutt. All rights
* reserved.
* Author: Gregory Nutt <gnutt@nuttx.org> * Author: Gregory Nutt <gnutt@nuttx.org>
* *
* Redistribution and use in source and binary forms, with or without * Redistribution and use in source and binary forms, with or without
@@ -75,7 +76,11 @@ FAR void *mm_malloc(FAR struct mm_heap_s *heap, size_t size)
/* Handle bad sizes */ /* Handle bad sizes */
if (size < 1) #ifndef CONFIG_MM_SMALL
if (size < 1 || size > (UINT32_MAX - SIZEOF_MM_ALLOCNODE))
#else
if (size < 1 || size > (UINT16_MAX - SIZEOF_MM_ALLOCNODE))
#endif
{ {
return NULL; return NULL;
} }