From: Jimmy <nhminus@gmail.com>
Date: Thu, 5 Dec 2019 06:45:17 +0000 (+0800)
Subject: server/tcl_server.c: Fix buffer overrun
X-Git-Tag: v0.11.0-rc1~553
X-Git-Url: https://review.openocd.org/gitweb?p=openocd.git;a=commitdiff_plain;h=0f12d792ed5ab2b8f934e689b8a23f8c55f1f218

server/tcl_server.c: Fix buffer overrun

The input buffer size is checked only after writing past its end.

Change-Id: I6a9651c5b7d82efe338468d67bf6caca41004b01
Signed-off-by: Jimmy <nhminus@gmail.com>
Reviewed-on: http://openocd.zylin.com/5352
Tested-by: jenkins
Reviewed-by: Tomas Vanek <vanekt@fbl.cz>
---

diff --git a/src/server/tcl_server.c b/src/server/tcl_server.c
index 1ec45ffbb1..1735c43ffe 100644
--- a/src/server/tcl_server.c
+++ b/src/server/tcl_server.c
@@ -199,7 +199,7 @@ static int tcl_input(struct connection *connection)
 	for (i = 0; i < rlen; i++) {
 		/* buffer the data */
 		tclc->tc_line[tclc->tc_lineoffset] = in[i];
-		if (tclc->tc_lineoffset < tclc->tc_line_size) {
+		if (tclc->tc_lineoffset + 1 < tclc->tc_line_size) {
 			tclc->tc_lineoffset++;
 		} else if (tclc->tc_line_size >= TCL_LINE_MAX) {
 			/* maximum line size reached, drop line */