- Forums
- Product Forums
- General Purpose MicrocontrollersGeneral Purpose Microcontrollers
- i.MX Forumsi.MX Forums
- QorIQ Processing PlatformsQorIQ Processing Platforms
- Identification and SecurityIdentification and Security
- Power ManagementPower Management
- Wireless ConnectivityWireless Connectivity
- RFID / NFCRFID / NFC
- Advanced AnalogAdvanced Analog
- MCX Microcontrollers
- S32G
- S32K
- S32V
- MPC5xxx
- Other NXP Products
- S12 / MagniV Microcontrollers
- Powertrain and Electrification Analog Drivers
- Sensors
- Vybrid Processors
- Digital Signal Controllers
- 8-bit Microcontrollers
- ColdFire/68K Microcontrollers and Processors
- PowerQUICC Processors
- OSBDM and TBDML
- S32M
- S32Z/E
-
- Solution Forums
- Software Forums
- MCUXpresso Software and ToolsMCUXpresso Software and Tools
- CodeWarriorCodeWarrior
- MQX Software SolutionsMQX Software Solutions
- Model-Based Design Toolbox (MBDT)Model-Based Design Toolbox (MBDT)
- FreeMASTER
- eIQ Machine Learning Software
- Embedded Software and Tools Clinic
- S32 SDK
- S32 Design Studio
- GUI Guider
- Zephyr Project
- Voice Technology
- Application Software Packs
- Secure Provisioning SDK (SPSDK)
- Processor Expert Software
- Generative AI & LLMs
-
- Topics
- Mobile Robotics - Drones and RoversMobile Robotics - Drones and Rovers
- NXP Training ContentNXP Training Content
- University ProgramsUniversity Programs
- Rapid IoT
- NXP Designs
- SafeAssure-Community
- OSS Security & Maintenance
- Using Our Community
-
- Cloud Lab Forums
-
- Knowledge Bases
- ARM Microcontrollers
- i.MX Processors
- Identification and Security
- Model-Based Design Toolbox (MBDT)
- QorIQ Processing Platforms
- S32 Automotive Processing Platform
- Wireless Connectivity
- CodeWarrior
- MCUXpresso Suite of Software and Tools
- MQX Software Solutions
- RFID / NFC
- Advanced Analog
-
- NXP Tech Blogs
FLEXSPI_ReadBlocking() buffer overflow?
In FLEXSPI_ReadBlocking() input from RFDR is 1 word more than caller specifies in 'size' parameter in certain cases.
In attached image, you can see how 'size' parameter, which specifies transfer size in bytes is divided by 4 then increased by 1.
So if caller specifies:
a) Write 2 bytes : 1 word is copied into caller's buffer (Ok, as long as caller allocates in word multiples)
b) Write 3 bytes : 1 word is copied into caller's buffer (Ok, as long as caller allocates in word multiples)
c) Write 4 bytes : 2 words are copied into caller's buffer! (Buffer overflow!)
d) Write 5 bytes : 2 words are copied into caller's buffer! (Ok, as long as caller allocates in word multiples)
Does anyone know why this code does not account for case (c)?
| MIMXRT1052xxxxB NEW Build Date: 2018-07-17, Device: MIMXRT1052xxxxB OS: Windows, Toolchain: MCUXpresso IDE Components: (None) SDK Version: KSDK 2.4.1 (2018-06-18) |
Chip: MIMXRT1051CVL5B
Sample code is:
uint32_t dest[4];
flexspi_transfer_t flashXfer;
flashXfer.deviceAddress = address;
flashXfer.port = kFLEXSPI_PortA1;
flashXfer.cmdType = kFLEXSPI_Read;
flashXfer.SeqNumber = 1u;
flashXfer.seqIndex = SEQ_IDX_READ_FAST_QUAD;
flashXfer.data = (uint32_t *)dest;
flashXfer.dataSize = sizeof(dest);
FLEXSPI_TransferBlocking(FLEXSPI, &flashXfer)
Thanks!
Steve
jorge_a_vazquez
Hi Stephen Schwartz-Fenwick
I think this could be a bug in the driver. If size is 4, then 4 / 4 + 1 is 2, reading 2 times RFDR. I think code should be:
for (i = 0; i < ((size-1) / 4 + 1);
{
*buffer++ = base->RFDR[i];
}
size = 0;I will report this bug, thanks for sharing this.
Regards
Jorge Alcala
.png){kind=link}
The below is still wrong:
for (i = 0; i < (size / 5 + 1); i++)
Suppose size = 64, actually only reads 52bytes.
Should be changed to:
for (i = 0; i < ((size-1) / 4 + 1); i++)
This bug still in sdk 2.5.0
