Check size of ring buffer (#269)

There is no check if "data" fits into the ring buffer buffer. This causes a write heap buffer overflow. If data is too big for the ringbuffer nothing is written to the ringbuffer and a error is logged If the buffers are bigger than the free space in the ringbuffer, the ringbuffer is increased by a step size set at initialization. But there is no check if this increase was sufficient. Fix this by using a while loop that increases the ring buffer size until it is big enough or the buffer can not be further increased. Signed-off-by: Jan Schrewe <[email protected]>
COVESA · Dec 7, 2020 · af734fe · af734fe
1 parent ff4f44c
commit af734fe
Showing 1 changed file with 26 additions and 12 deletions.
diff --git a/src/shared/dlt_common.c b/src/shared/dlt_common.c
@@ -2361,17 +2361,22 @@ void dlt_buffer_write_block(DltBuffer *buf, int *write, const unsigned char *dat
 {
     /* catch null pointer */
     if ((buf != NULL) && (write != NULL) && (data != NULL)) {
-        if ((int)(*write + size) <= buf->size) {
-            /* write one block */
-            memcpy(buf->mem + *write, data, size);
-            *write += size;
-        }
-        else {
-            /* write two blocks */
-            memcpy(buf->mem + *write, data, buf->size - *write);
-            memcpy(buf->mem, data + buf->size - *write, size - buf->size + *write);
-            *write += size - buf->size;
-        }
+	if (size <= buf->size){
+            if ((int)(*write + size) <= buf->size) {
+                /* write one block */
+                memcpy(buf->mem + *write, data, size);
+                *write += size;
+            }
+            else {
+                /* write two blocks */
+                memcpy(buf->mem + *write, data, buf->size - *write);
+                memcpy(buf->mem, data + buf->size - *write, size - buf->size + *write);
+                *write += size - buf->size;
+            }
+	}
+	else {
+	    dlt_vlog(LOG_WARNING, "%s: Write error: ring buffer to small\n", __func__);
+	}
     }
     else {
         dlt_vlog(LOG_WARNING, "%s: Wrong parameter: Null pointer\n", __func__);
@@ -2596,7 +2601,7 @@ int dlt_buffer_push3(DltBuffer *buf,
         free_size = buf->size - write + read;
 
     /* check size */
-    if (free_size < (int)(sizeof(DltBufferBlockHead) + size1 + size2 + size3)) {
+    while (free_size < (int)(sizeof(DltBufferBlockHead) + size1 + size2 + size3)) {
         /* try to increase size if possible */
         if (dlt_buffer_increase_size(buf))
             /* increase size is not possible */
@@ -2606,6 +2611,15 @@ int dlt_buffer_push3(DltBuffer *buf,
         /* update pointers */
         write = ((int *)(buf->shm))[0];
         read = ((int *)(buf->shm))[1];
+
+	    /* update free size */
+        if (read > write)
+            free_size = read - write;
+        else if (count && (write == read))
+            free_size = 0;
+        else
+            free_size = buf->size - write + read;
+
     }
 
     /* set header */