From 6ddcee7d20ee873f1c214736c22f29d9781dded4 Mon Sep 17 00:00:00 2001 From: Mathias K Date: Thu, 24 Feb 2011 13:00:59 +0100 Subject: [PATCH] ft2232: fix possible read buffer overflow This patch fix a possible read buffer overflow in ft2232_execute_queue. Also the correct read queue size for libftdi and libftd2xx was added and and tested. In function ft2232_write a uninitialized value was initialized because we don't know if this value was set in the ftdi api call. --- src/jtag/drivers/ft2232.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/src/jtag/drivers/ft2232.c b/src/jtag/drivers/ft2232.c index 9024f8e0..a84d069c 100644 --- a/src/jtag/drivers/ft2232.c +++ b/src/jtag/drivers/ft2232.c @@ -373,6 +373,12 @@ static int require_send; a comment would have been nice. */ +#if BUILD_FT2232_FTD2XX == 1 +#define FT2232_BUFFER_READ_QUEUE_SIZE (64*64) +#else +#define FT2232_BUFFER_READ_QUEUE_SIZE (64*4) +#endif + #define FT2232_BUFFER_SIZE 131072 static uint8_t* ft2232_buffer = NULL; @@ -499,7 +505,7 @@ static int ft2232_write(uint8_t* buf, int size, uint32_t* bytes_written) { #if BUILD_FT2232_FTD2XX == 1 FT_STATUS status; - DWORD dw_bytes_written; + DWORD dw_bytes_written = 0; if ((status = FT_Write(ftdih, buf, size, &dw_bytes_written)) != FT_OK) { *bytes_written = dw_bytes_written; @@ -2081,12 +2087,20 @@ static int ft2232_execute_queue(void) while (cmd) { + /* fill the write buffer with the desired command */ if (ft2232_execute_command(cmd) != ERROR_OK) retval = ERROR_JTAG_QUEUE_FAILED; - /* Start reading input before FT2232 TX buffer fills up */ + /* Start reading input before FT2232 TX buffer fills up. + * Sometimes this happens because we don't know the + * length of the last command before we execute it. So + * we simple inform the user. + */ cmd = cmd->next; - if (ft2232_expect_read > 256) + + if (ft2232_expect_read >= FT2232_BUFFER_READ_QUEUE_SIZE ) { + if (ft2232_expect_read > (FT2232_BUFFER_READ_QUEUE_SIZE+1) ) + LOG_WARNING("read buffer size looks to high"); if (ft2232_send_and_recv(first_unsent, cmd) != ERROR_OK) retval = ERROR_JTAG_QUEUE_FAILED; first_unsent = cmd; -- 2.39.5