From 390e987eb365c935ea3f3d2c958ddbb8bd52e5e5 Mon Sep 17 00:00:00 2001 From: Sebastian Huber Date: Mon, 16 Sep 2013 10:43:30 +0200 Subject: libblock: PR2145: Limit maximum read-ahead blocks This helps to prevent stack overflows due to configuration errors. --- cpukit/libblock/include/rtems/bdbuf.h | 2 +- cpukit/libblock/src/bdbuf.c | 15 +++++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) (limited to 'cpukit/libblock') diff --git a/cpukit/libblock/include/rtems/bdbuf.h b/cpukit/libblock/include/rtems/bdbuf.h index cde32d7c4c..2794af7300 100644 --- a/cpukit/libblock/include/rtems/bdbuf.h +++ b/cpukit/libblock/include/rtems/bdbuf.h @@ -460,7 +460,7 @@ extern const rtems_bdbuf_config rtems_bdbuf_configuration; * @retval RTEMS_SUCCESSFUL Successful operation. * @retval RTEMS_CALLED_FROM_ISR Called from an interrupt context. * @retval RTEMS_INVALID_NUMBER The buffer maximum is not an integral multiple - * of the buffer minimum. + * of the buffer minimum. The maximum read-ahead blocks count is too large. * @retval RTEMS_RESOURCE_IN_USE Already initialized. * @retval RTEMS_UNSATISFIED Not enough resources. */ diff --git a/cpukit/libblock/src/bdbuf.c b/cpukit/libblock/src/bdbuf.c index b7663f1408..9f5274c024 100644 --- a/cpukit/libblock/src/bdbuf.c +++ b/cpukit/libblock/src/bdbuf.c @@ -1378,6 +1378,13 @@ rtems_bdbuf_swapout_workers_create (void) return sc; } +static size_t +rtems_bdbuf_read_request_size (uint32_t transfer_count) +{ + return sizeof (rtems_blkdev_request) + + sizeof (rtems_blkdev_sg_buffer) * transfer_count; +} + /** * Initialise the cache. * @@ -1403,9 +1410,14 @@ rtems_bdbuf_init (void) /* * Check the configuration table values. */ + if ((bdbuf_config.buffer_max % bdbuf_config.buffer_min) != 0) return RTEMS_INVALID_NUMBER; + if (rtems_bdbuf_read_request_size (bdbuf_config.max_read_ahead_blocks) + > RTEMS_MINIMUM_STACK_SIZE / 8U) + return RTEMS_INVALID_NUMBER; + /* * We use a special variable to manage the initialisation incase we have * completing threads doing this. You may get errors if the another thread @@ -2077,8 +2089,7 @@ rtems_bdbuf_execute_read_request (rtems_disk_device *dd, */ #define bdbuf_alloc(size) __builtin_alloca (size) - req = bdbuf_alloc (sizeof (rtems_blkdev_request) + - sizeof (rtems_blkdev_sg_buffer) * transfer_count); + req = bdbuf_alloc (rtems_bdbuf_read_request_size (transfer_count)); req->req = RTEMS_BLKDEV_REQ_READ; req->done = rtems_bdbuf_transfer_done; -- cgit v1.2.3