rpmsg_ping.c: fix msg data memset length

wyr-7 · GUIDINGLI · commit 976c4173f081 · 2024-10-11T14:59:26.000+08:00
The range of memset exceeds the size of the buffer

Signed-off-by: Yongrong Wang &lt;wangyongrong@xiaomi.com&gt;
diff --git a/drivers/rpmsg/rpmsg_ping.c b/drivers/rpmsg/rpmsg_ping.c
@@ -101,8 +101,6 @@ static int rpmsg_ping_ept_cb(FAR struct rpmsg_endpoint *ept,
                      i, data_len);
               break;
             }
-
-          msg->data[i] = 0;
         }
     }
 
@@ -132,9 +130,6 @@ static int rpmsg_ping_once(FAR struct rpmsg_endpoint *ept, int len,
       return -ENOMEM;
     }
 
-  len = MAX(len, sizeof(struct rpmsg_ping_msg_s));
-  len = MIN(len, *buf_len);
-
   msg->cmd = cmd;
 
   if ((msg->cmd & RPMSG_PING_RANDOMLEN_MASK) != 0)
@@ -146,13 +141,16 @@ static int rpmsg_ping_once(FAR struct rpmsg_endpoint *ept, int len,
       msg->len = len;
     }
 
+  msg->len = MAX(msg->len, sizeof(struct rpmsg_ping_msg_s));
+  msg->len = MIN(msg->len, *buf_len);
+
   if ((msg->cmd & RPMSG_PING_CHECK_MASK) != 0)
     {
       memset(msg->data, i, msg->len - sizeof(struct rpmsg_ping_msg_s) + 1);
     }
   else
     {
-      memset(msg->data, 0, msg->len);
+      memset(msg->data, 0, msg->len - sizeof(struct rpmsg_ping_msg_s) + 1);
     }
 
   if ((msg->cmd & RPMSG_PING_ACK_MASK) != 0)

Original file line number	Diff line number	Diff line change
`@@ -101,8 +101,6 @@ static int rpmsg_ping_ept_cb(FAR struct rpmsg_endpoint *ept,`
`101`	`101`	`i, data_len);`
`102`	`102`	`break;`
`103`	`103`	`}`
`104`		`-`
`105`		`- msg->data[i] = 0;`
`106`	`104`	`}`
`107`	`105`	`}`
`108`	`106`
`@@ -132,9 +130,6 @@ static int rpmsg_ping_once(FAR struct rpmsg_endpoint *ept, int len,`
`132`	`130`	`return -ENOMEM;`
`133`	`131`	`}`
`134`	`132`
`135`		`- len = MAX(len, sizeof(struct rpmsg_ping_msg_s));`
`136`		`- len = MIN(len, *buf_len);`
`137`		`-`
`138`	`133`	`msg->cmd = cmd;`
`139`	`134`
`140`	`135`	`if ((msg->cmd & RPMSG_PING_RANDOMLEN_MASK) != 0)`
`@@ -146,13 +141,16 @@ static int rpmsg_ping_once(FAR struct rpmsg_endpoint *ept, int len,`
`146`	`141`	`msg->len = len;`
`147`	`142`	`}`
`148`	`143`
	`144`	`+ msg->len = MAX(msg->len, sizeof(struct rpmsg_ping_msg_s));`
	`145`	`+ msg->len = MIN(msg->len, *buf_len);`
	`146`	`+`
`149`	`147`	`if ((msg->cmd & RPMSG_PING_CHECK_MASK) != 0)`
`150`	`148`	`{`
`151`	`149`	`memset(msg->data, i, msg->len - sizeof(struct rpmsg_ping_msg_s) + 1);`
`152`	`150`	`}`
`153`	`151`	`else`
`154`	`152`	`{`
`155`		`- memset(msg->data, 0, msg->len);`
	`153`	`+ memset(msg->data, 0, msg->len - sizeof(struct rpmsg_ping_msg_s) + 1);`
`156`	`154`	`}`
`157`	`155`
`158`	`156`	`if ((msg->cmd & RPMSG_PING_ACK_MASK) != 0)`