From: Evan Hunter Date: Tue, 2 Apr 2013 06:35:23 +0000 (+1100) Subject: gdb server: Fix buffer overrun - sprintf appends a terminating null to the data which... X-Git-Tag: v0.7.0-rc1~32 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=0875e64ddb1cade43c7a56d8cc6e743364b65b58;p=openocd gdb server: Fix buffer overrun - sprintf appends a terminating null to the data which was overrunning the supplied buffer. Fixes regression introduced in commit 07dcd5648d146d38f9ffa619f0737587e592d0b6 Signed-off-by: Evan Hunter Change-Id: Iec64233c0da5a044fb984c4b1803309cb636efe9 Reviewed-on: http://openocd.zylin.com/1312 Tested-by: jenkins Reviewed-by: Spencer Oliver --- diff --git a/src/server/gdb_server.c b/src/server/gdb_server.c index b643ae70..cb96bf29 100644 --- a/src/server/gdb_server.c +++ b/src/server/gdb_server.c @@ -978,7 +978,7 @@ static int gdb_get_registers_packet(struct connection *connection, assert(reg_packet_size > 0); - reg_packet = malloc(reg_packet_size); + reg_packet = malloc(reg_packet_size + 1); /* plus one for string termination null */ reg_packet_p = reg_packet; for (i = 0; i < reg_list_size; i++) { @@ -1085,7 +1085,7 @@ static int gdb_get_register_packet(struct connection *connection, if (!reg_list[reg_num]->valid) reg_list[reg_num]->type->get(reg_list[reg_num]); - reg_packet = malloc(DIV_ROUND_UP(reg_list[reg_num]->size, 8) * 2); + reg_packet = malloc(DIV_ROUND_UP(reg_list[reg_num]->size, 8) * 2 + 1); /* plus one for string termination null */ gdb_str_to_target(target, reg_packet, reg_list[reg_num]);