server/tcl_server.c: Fix buffer overrun 52/5352/2
authorJimmy <nhminus@gmail.com>
Thu, 5 Dec 2019 06:45:17 +0000 (14:45 +0800)
committerTomas Vanek <vanekt@fbl.cz>
Thu, 12 Dec 2019 14:31:42 +0000 (14:31 +0000)
The input buffer size is checked only after writing past its end.

Change-Id: I6a9651c5b7d82efe338468d67bf6caca41004b01
Signed-off-by: Jimmy <nhminus@gmail.com>
Reviewed-on: http://openocd.zylin.com/5352
Tested-by: jenkins
Reviewed-by: Tomas Vanek <vanekt@fbl.cz>
src/server/tcl_server.c

index 1ec45ff..1735c43 100644 (file)
@@ -199,7 +199,7 @@ static int tcl_input(struct connection *connection)
        for (i = 0; i < rlen; i++) {
                /* buffer the data */
                tclc->tc_line[tclc->tc_lineoffset] = in[i];
-               if (tclc->tc_lineoffset < tclc->tc_line_size) {
+               if (tclc->tc_lineoffset + 1 < tclc->tc_line_size) {
                        tclc->tc_lineoffset++;
                } else if (tclc->tc_line_size >= TCL_LINE_MAX) {
                        /* maximum line size reached, drop line */