Don't accept remote objects with the wrong size
Fixes memory corruption when the crc happens to match, but the size doesn't.
This commit is contained in:
parent
3b422d2ac4
commit
a08bcea998
2 changed files with 59 additions and 14 deletions
|
@ -73,6 +73,7 @@ void transport_recv_frame(uint8_t from, uint8_t* data, uint16_t size) {
|
||||||
uint8_t id = data[size-1];
|
uint8_t id = data[size-1];
|
||||||
if (id < num_remote_objects) {
|
if (id < num_remote_objects) {
|
||||||
remote_object_t* obj = remote_objects[id];
|
remote_object_t* obj = remote_objects[id];
|
||||||
|
if (obj->object_size == size - 1) {
|
||||||
uint8_t* start;
|
uint8_t* start;
|
||||||
if (obj->object_type == MASTER_TO_ALL_SLAVES) {
|
if (obj->object_type == MASTER_TO_ALL_SLAVES) {
|
||||||
start = obj->buffer + LOCAL_OBJECT_SIZE(obj->object_size);
|
start = obj->buffer + LOCAL_OBJECT_SIZE(obj->object_size);
|
||||||
|
@ -86,9 +87,10 @@ void transport_recv_frame(uint8_t from, uint8_t* data, uint16_t size) {
|
||||||
}
|
}
|
||||||
triple_buffer_object_t* tb = (triple_buffer_object_t*)start;
|
triple_buffer_object_t* tb = (triple_buffer_object_t*)start;
|
||||||
void* ptr = triple_buffer_begin_write_internal(obj->object_size, tb);
|
void* ptr = triple_buffer_begin_write_internal(obj->object_size, tb);
|
||||||
memcpy(ptr, data, size -1);
|
memcpy(ptr, data, size - 1);
|
||||||
triple_buffer_end_write_internal(tb);
|
triple_buffer_end_write_internal(tb);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
void update_transport(void) {
|
void update_transport(void) {
|
||||||
|
|
|
@ -123,3 +123,46 @@ Ensure(Transport, writes_from_master_to_single_slave) {
|
||||||
assert_that(obj2, is_not_equal_to(NULL));
|
assert_that(obj2, is_not_equal_to(NULL));
|
||||||
assert_that(obj2->test, is_equal_to(7));
|
assert_that(obj2->test, is_equal_to(7));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Ensure(Transport, ignores_object_with_invalid_id) {
|
||||||
|
update_transport();
|
||||||
|
test_object1_t* obj = begin_write_master_to_single_slave(3);
|
||||||
|
obj->test = 7;
|
||||||
|
expect(signal_data_written);
|
||||||
|
end_write_master_to_single_slave(3);
|
||||||
|
expect(router_send_frame,
|
||||||
|
when(destination, is_equal_to(4)));
|
||||||
|
update_transport();
|
||||||
|
sent_data[sent_data_size - 1] = 44;
|
||||||
|
transport_recv_frame(0, sent_data, sent_data_size);
|
||||||
|
test_object1_t* obj2 = read_master_to_single_slave();
|
||||||
|
assert_that(obj2, is_equal_to(NULL));
|
||||||
|
}
|
||||||
|
|
||||||
|
Ensure(Transport, ignores_object_with_size_too_small) {
|
||||||
|
update_transport();
|
||||||
|
test_object1_t* obj = begin_write_master_to_slave();
|
||||||
|
obj->test = 7;
|
||||||
|
expect(signal_data_written);
|
||||||
|
end_write_master_to_slave();
|
||||||
|
expect(router_send_frame);
|
||||||
|
update_transport();
|
||||||
|
sent_data[sent_data_size - 2] = 0;
|
||||||
|
transport_recv_frame(0, sent_data, sent_data_size - 1);
|
||||||
|
test_object1_t* obj2 = read_master_to_slave();
|
||||||
|
assert_that(obj2, is_equal_to(NULL));
|
||||||
|
}
|
||||||
|
|
||||||
|
Ensure(Transport, ignores_object_with_size_too_big) {
|
||||||
|
update_transport();
|
||||||
|
test_object1_t* obj = begin_write_master_to_slave();
|
||||||
|
obj->test = 7;
|
||||||
|
expect(signal_data_written);
|
||||||
|
end_write_master_to_slave();
|
||||||
|
expect(router_send_frame);
|
||||||
|
update_transport();
|
||||||
|
sent_data[sent_data_size + 21] = 0;
|
||||||
|
transport_recv_frame(0, sent_data, sent_data_size + 22);
|
||||||
|
test_object1_t* obj2 = read_master_to_slave();
|
||||||
|
assert_that(obj2, is_equal_to(NULL));
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in a new issue