From bd2cfe72f056cdb76afd964ca42c2233267dd7a4 Mon Sep 17 00:00:00 2001
From: Gareth McMullin <gareth@blacksphere.co.nz>
Date: Tue, 18 Apr 2017 11:41:11 +1200
Subject: [PATCH] Add range checking on mem access packets.

---
 src/gdb_main.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/gdb_main.c b/src/gdb_main.c
index 2364243..1a5805a 100644
--- a/src/gdb_main.c
+++ b/src/gdb_main.c
@@ -115,6 +115,10 @@ int gdb_main_loop(struct target_controller *tc, bool in_syscall)
 			uint32_t addr, len;
 			ERROR_IF_NO_TARGET();
 			sscanf(pbuf, "m%" SCNx32 ",%" SCNx32, &addr, &len);
+			if (len > sizeof(pbuf) / 2) {
+				gdb_putpacketz("E02");
+				break;
+			}
 			DEBUG("m packet: addr = %" PRIx32 ", len = %" PRIx32 "\n", addr, len);
 			uint8_t mem[len];
 			if (target_mem_read(cur_target, mem, addr, len))
@@ -136,6 +140,10 @@ int gdb_main_loop(struct target_controller *tc, bool in_syscall)
 			int hex;
 			ERROR_IF_NO_TARGET();
 			sscanf(pbuf, "M%" SCNx32 ",%" SCNx32 ":%n", &addr, &len, &hex);
+			if (len > (unsigned)(size - hex) / 2) {
+				gdb_putpacketz("E02");
+				break;
+			}
 			DEBUG("M packet: addr = %" PRIx32 ", len = %" PRIx32 "\n", addr, len);
 			uint8_t mem[len];
 			unhexify(mem, pbuf + hex, len);
@@ -251,6 +259,10 @@ int gdb_main_loop(struct target_controller *tc, bool in_syscall)
 			int bin;
 			ERROR_IF_NO_TARGET();
 			sscanf(pbuf, "X%" SCNx32 ",%" SCNx32 ":%n", &addr, &len, &bin);
+			if (len > (unsigned)(size - bin)) {
+				gdb_putpacketz("E02");
+				break;
+			}
 			DEBUG("X packet: addr = %" PRIx32 ", len = %" PRIx32 "\n", addr, len);
 			if (target_mem_write(cur_target, addr, pbuf+bin, len))
 				gdb_putpacketz("E01");