Potential memory leak in esp_usb_jtag.c (EUB-91) #36
Description
Checklist
- Checked the issue tracker for similar issues to ensure this is not a duplicate
- Read the documentation to confirm the issue is not addressed there and your configuration is set correctly
- Tested with the latest version to ensure the issue hasn't been fixed
How often does this bug occurs?
always
Expected behavior
When read from jtag, esp32 would send the whole data.
Actual behavior (suspected bug)
When the requested data is too large, esp32 will reboot (due to memory out of bounds, overwriting usb_sendbuf to 0 (in serial.c), causing xRingbufferReceiveUpTo assertion failure in usb_sender_task.
Error logs or terminal output
Steps to reproduce the behavior
I use this command to read data in openocd:
openocd -f /path/to/openocd.cfg -l ../openocd.log -d4 -c "init" -c "jtagspi_init ecp5.pld \"\" -1" -c "flash read_bank 0 /path/to/test.bank 0 1088"
openocd.cfg content is:
adapter driver esp_usb_jtag
espusbjtag vid_pid 0x303a 0x1002
# string descriptor index:10
espusbjtag caps_descriptor 0x030A
# max speed
adapter speed 1000
transport select jtag
reset_config none
source [find fpga/lattice_ecp5.cfg]
set JTAGSPI_CHAIN_ID ecp5.pld
source [find cpld/jtagspi.cfg]
I think you can test on other jtag devices.
Project release version
master
System architecture
Intel/AMD 64-bit (modern PC, older Mac)
Operating system
Linux
Operating system version
arch
Shell
Bash
Additional context
For my hardware,(and maybe for all hardware), when I requested 1087byte, it's ok. But 1088 bytes, it crashes.
this two lines will write to s_tdo_bytes without any check: s_tdo_bytes[s_total_tdo_bits / 8] |= (esp_gpio_tdo_read() << (s_total_tdo_bits % 8)); and memset(s_tdo_bytes + (s_usb_sent_bits / 8), 0x00, n_byte);.
The threshold is 1088 because it will trig memset (as above) 64byte in s_tdo_bytes + 1024 counts 64 bytes, and usb_sendbuf is there.