summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMitchell Hayenga <Mitchell.Hayenga@ARM.com>2012-01-12 15:27:20 -0600
committerMitchell Hayenga <Mitchell.Hayenga@ARM.com>2012-01-12 15:27:20 -0600
commit698408bce2a2294ab620cb70d6272f33fa75e017 (patch)
treeabbc5baf926d183fbf46e1a784517f3e1b71a826
parenta17dbdf8834b84f05a8f5154a74ac819fe8adc7c (diff)
downloadgem5-698408bce2a2294ab620cb70d6272f33fa75e017.tar.xz
Fix memory corruption issue with CopyStringOut()
CopyStringOut() improperly indexed setting the null character, would result in zeroing a random byte of memory after(out of bounds) the character array.
-rw-r--r--src/mem/fs_translating_port_proxy.cc14
1 files changed, 9 insertions, 5 deletions
diff --git a/src/mem/fs_translating_port_proxy.cc b/src/mem/fs_translating_port_proxy.cc
index d202b22bd..c0898a003 100644
--- a/src/mem/fs_translating_port_proxy.cc
+++ b/src/mem/fs_translating_port_proxy.cc
@@ -138,15 +138,19 @@ CopyIn(ThreadContext *tc, Addr dest, void *source, size_t cplen)
void
CopyStringOut(ThreadContext *tc, char *dst, Addr vaddr, size_t maxlen)
{
- int len = 0;
char *start = dst;
FSTranslatingPortProxy* vp = tc->getVirtProxy();
- do {
- vp->readBlob(vaddr++, (uint8_t*)dst++, 1);
- } while (len < maxlen && start[len++] != 0 );
+ bool foundNull = false;
+ while ((dst - start + 1) < maxlen && !foundNull) {
+ vp->readBlob(vaddr++, (uint8_t*)dst, 1);
+ if (dst == '\0')
+ foundNull = true;
+ dst++;
+ }
- dst[len] = 0;
+ if (!foundNull)
+ *dst = '\0';
}
void