From 0f12d792ed5ab2b8f934e689b8a23f8c55f1f218 Mon Sep 17 00:00:00 2001 From: Jimmy Date: Thu, 5 Dec 2019 14:45:17 +0800 Subject: [PATCH] server/tcl_server.c: Fix buffer overrun The input buffer size is checked only after writing past its end. Change-Id: I6a9651c5b7d82efe338468d67bf6caca41004b01 Signed-off-by: Jimmy Reviewed-on: http://openocd.zylin.com/5352 Tested-by: jenkins Reviewed-by: Tomas Vanek --- src/server/tcl_server.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/server/tcl_server.c b/src/server/tcl_server.c index 1ec45ffbb1..1735c43ffe 100644 --- a/src/server/tcl_server.c +++ b/src/server/tcl_server.c @@ -199,7 +199,7 @@ static int tcl_input(struct connection *connection) for (i = 0; i < rlen; i++) { /* buffer the data */ tclc->tc_line[tclc->tc_lineoffset] = in[i]; - if (tclc->tc_lineoffset < tclc->tc_line_size) { + if (tclc->tc_lineoffset + 1 < tclc->tc_line_size) { tclc->tc_lineoffset++; } else if (tclc->tc_line_size >= TCL_LINE_MAX) { /* maximum line size reached, drop line */ -- 2.30.2