From dbf5a58fa1422b6ba3fbdfd8c11895f656e41373 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E6=9C=B1=E5=A4=A9=E9=BE=99=20=28Armink=29?= Date: Sun, 14 May 2023 18:31:10 +0800 Subject: [PATCH] [kvdb] fixed the memory read out of bounds error --- src/fdb_kvdb.c | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/fdb_kvdb.c b/src/fdb_kvdb.c index a09a4d3..64e2163 100644 --- a/src/fdb_kvdb.c +++ b/src/fdb_kvdb.c @@ -349,9 +349,9 @@ static fdb_err_t read_kv(fdb_kvdb_t db, fdb_kv_t kv) FDB_ASSERT(0); } - /* CRC32 data len(header.name_len + header.value_len + name + value) */ - calc_crc32 = fdb_calc_crc32(calc_crc32, &kv_hdr.name_len, sizeof(kv_hdr.name_len)); - calc_crc32 = fdb_calc_crc32(calc_crc32, &kv_hdr.value_len, sizeof(kv_hdr.value_len)); + /* CRC32 data len(header.name_len + header.value_len + name + value), using sizeof(uint32_t) for compatible V1.x */ + calc_crc32 = fdb_calc_crc32(calc_crc32, &kv_hdr.name_len, sizeof(uint32_t)); + calc_crc32 = fdb_calc_crc32(calc_crc32, &kv_hdr.value_len, sizeof(uint32_t)); crc_data_len = kv->len - KV_HDR_DATA_SIZE; /* calculate the CRC32 value */ for (len = 0, size = 0; len < crc_data_len; len += size) { @@ -724,7 +724,7 @@ static fdb_err_t write_kv_hdr(fdb_kvdb_t db, uint32_t addr, kv_hdr_data_t kv_hdr return result; } /* write other header data */ - result = _fdb_flash_write((fdb_db_t)db, addr + KV_MAGIC_OFFSET, &kv_hdr->magic, KV_HDR_DATA_SIZE - KV_MAGIC_OFFSET, false); + result = _fdb_flash_write((fdb_db_t)db, addr + KV_MAGIC_OFFSET, &kv_hdr->magic, sizeof(struct kv_hdr_data) - KV_MAGIC_OFFSET, false); return result; } @@ -751,7 +751,7 @@ static fdb_err_t format_sector(fdb_kvdb_t db, uint32_t addr, uint32_t combined_v #else // seperate the whole "sec_hdr" program to serval sinle program operation to prevent re-program issue on STM32L4xx or // other MCU internal flash /* write the sector store status */ - _fdb_write_status(db, + _fdb_write_status((fdb_db_t)db, addr + SECTOR_STORE_OFFSET, sec_hdr.status_table.store, FDB_SECTOR_STORE_STATUS_NUM, @@ -759,7 +759,7 @@ static fdb_err_t format_sector(fdb_kvdb_t db, uint32_t addr, uint32_t combined_v true); /* write the sector dirty status */ - _fdb_write_status(db, + _fdb_write_status((fdb_db_t)db, addr + SECTOR_DIRTY_OFFSET, sec_hdr.status_table.dirty, FDB_SECTOR_DIRTY_STATUS_NUM, @@ -770,10 +770,10 @@ static fdb_err_t format_sector(fdb_kvdb_t db, uint32_t addr, uint32_t combined_v sec_hdr.magic = SECTOR_MAGIC_WORD; sec_hdr.combined = combined_value; sec_hdr.reserved = FDB_DATA_UNUSED; - result = _fdb_flash_write(db, + result = _fdb_flash_write((fdb_db_t)db, addr + SECTOR_MAGIC_OFFSET, (void *)(&(sec_hdr.magic)), - (SECTOR_HDR_DATA_SIZE - SECTOR_MAGIC_OFFSET), + (sizeof(struct sector_hdr_data) - SECTOR_MAGIC_OFFSET), true); #endif @@ -1177,8 +1177,9 @@ static fdb_err_t create_kv_blob(fdb_kvdb_t db, kv_sec_info_t sector, const char uint8_t ff = FDB_BYTE_ERASED; /* start calculate CRC32 */ kv_hdr.crc32 = 0; - kv_hdr.crc32 = fdb_calc_crc32(kv_hdr.crc32, &kv_hdr.name_len, sizeof(kv_hdr.name_len)); - kv_hdr.crc32 = fdb_calc_crc32(kv_hdr.crc32, &kv_hdr.value_len, sizeof(kv_hdr.value_len)); + /* CRC32(header.name_len + header.value_len + name + value), using sizeof(uint32_t) for compatible V1.x */ + kv_hdr.crc32 = fdb_calc_crc32(kv_hdr.crc32, &kv_hdr.name_len, sizeof(uint32_t)); + kv_hdr.crc32 = fdb_calc_crc32(kv_hdr.crc32, &kv_hdr.value_len, sizeof(uint32_t)); kv_hdr.crc32 = fdb_calc_crc32(kv_hdr.crc32, key, kv_hdr.name_len); align_remain = FDB_WG_ALIGN(kv_hdr.name_len) - kv_hdr.name_len; while (align_remain--) { @@ -1191,7 +1192,6 @@ static fdb_err_t create_kv_blob(fdb_kvdb_t db, kv_sec_info_t sector, const char } /* write KV header data */ result = write_kv_hdr(db, kv_addr, &kv_hdr); - } /* write key name */ if (result == FDB_NO_ERR) {