FAQs
English (US) 日本語 | Japanese 中文 | Chinese (Simplified)

Bugs in _lwmem_alloc_align_internal and _io_doprint

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Bugs in _lwmem_alloc_align_internal and _io_doprint

‎02-06-2014 12:30 AM
590 Views
gbelokrylov
Contributor II
  • Under certain conditions lightweight memory allocator doesn't fill BLOCKSIZE field of the new block which can lead to very nasty bugs after deallocation:

in mqx/source/kernel/lwmem.c in function _lwmem_alloc_align_internal on lines 450-473:

            if (next_block_size >= LWMEM_MIN_MEMORY_STORAGE_SIZE)
            {
                /*
                 * The current block is big enough to split.
                 * into 2 blocks.... the part to be allocated is one block,
                 * and the rest remains as a free block on the free list.
                 */
                next_block_ptr = (LWMEM_BLOCK_STRUCT_PTR) (pointer) ((uchar_ptr) block_ptr + requested_size);
                /* Initialize the new physical block values */
                next_block_ptr->BLOCKSIZE = next_block_size;
                /* Link new block into the free list */
                next_block_ptr->POOL = mem_pool_ptr;
                next_block_ptr->U.NEXTBLOCK = block_ptr->U.NEXTBLOCK;
                block_ptr->U.NEXTBLOCK = (pointer) next_block_ptr;

                /* Modify the current block, to point to this newly created block*/
                block_ptr->BLOCKSIZE = requested_size;
            }


            else
            {
                /* Take the entire block */
                requested_size = block_size;
                next_block_ptr = block_ptr->U.NEXTBLOCK;
            } /* Endif */

Here block_ptr points to memory in a free block with offset from the start of the block of at least (2 * LWMEM_MIN_MEMORY_STORAGE_SIZE) bytes. In the else block block_ptr->BLOCKSIZE should be set to block_size minus offset (size of a new free block).

  • Printing functions incorrectly handle "s" conversion specifier when precision is given and string doesn't contain null character:

in mqx/source/fio/_io_dopr.c in function _io_doprint:

on lines 665-668:

      for (; str_ptr[length] != '\0'; length++ )
      {
         ;
      } /* Endfor */

str_ptr equals pointer to the given string (which is not null-terminated) and it will traverse until it hits any null character in the memory that doesn't belong to the given array (though length will be reduced to precision value afterwards).

on line 859:

         number_of_characters += _io_putstr(farg, func_ptr, length, (char_ptr) str_ptr);

Function _io_putstr is called which also traverses whole array and past of it until it hits any null character. Moreover, it will return number of characters from the start of array until null character, and returned number of written characters from functions like snprintf will be greater than actual number of characters that were written.

Tags (3)
0 Kudos
Reply
2 Replies

‎02-23-2014 03:52 PM
371 Views
soledad
NXP Employee
NXP Employee

Hi

Are you using a Freescale board?

Regards

Sol

0 Kudos
Reply

‎02-23-2014 11:14 PM
370 Views
gbelokrylov
Contributor II

Yes, I am using TWR-K60F120M.

0 Kudos
Reply