Reply
Posts: 18
Registered: ‎11-03-2015
Accepted Solution

Unsafe code in ezradiodrv v.4.1.0

The file ezradio_receive_plugin.c contains function ezradioHandleReceivePlugin that calls ezradio_fifo_info(EZRADIO_CMD_FIFO_INFO_ARG_FIFO_RX_BIT, NULL).

 

As we can see the second parameter is NULL. Now let's see the code of the ezradio_fifo_info:

void ezradio_fifo_info(uint8_t fifo, ezradio_cmd_reply_t *ezradioReply)
{
    /* EZRadio command buffer */
    uint8_t ezradioCmd[EZRADIO_CMD_REPLY_COUNT_FIFO_INFO];

 

    ezradioCmd[0] = EZRADIO_CMD_ID_FIFO_INFO;
    ezradioCmd[1] = fifo;

 

    ezradio_comm_SendCmdGetResp( EZRADIO_CMD_ARG_COUNT_FIFO_INFO,
        ezradioCmd,
        EZRADIO_CMD_REPLY_COUNT_FIFO_INFO,
        ezradioCmd );

 

    ezradioReply->FIFO_INFO.RX_FIFO_COUNT = ezradioCmd[0];
    ezradioReply->FIFO_INFO.TX_FIFO_SPACE = ezradioCmd[1];
}

 

I think it will be better if ezradio_fifo_info will check the ezradioReply for NULL before using.

Highlighted
Posts: 157
Registered: ‎06-11-2015

Re: Unsafe code in ezradiodrv v.4.1.0

You're right. It probably didn't crashed, because memory address 0x0 is the flash, and you can't just write it.

Thanks for the report, I informed the developers.

 

Regards,

Andras