Increase block_data size to allocate the uploaded firmware block

Solve #194: the block_sz was reaching the value 23, and block_data had only 20 bytes allocated (HPM_BLOCK_SIZE), so the memcpy call was corrupting the stack. After returning from req_handler, the restored value of R4 got corrupted resulting in an invalid memory access in the xQueueReceive function.
lnls-dig · Mar 7, 2024 · e88b30b · e88b30b
1 parent 37e2ad0
commit e88b30b
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 3 deletions.
diff --git a/modules/hpm.c b/modules/hpm.c
@@ -216,7 +216,7 @@ IPMI_HANDLER(ipmi_picmg_initiate_upgrade_action, NETFN_GRPEXT, IPMI_PICMG_CMD_HP
     uint8_t len = rsp->data_len = 0;
 
     uint8_t comp_id;
-    
+
     /* Set the component that'll be upgraded */
     /*
      * As specified in the Hardware Platform Management IPM Controller Firmware Upgrade Specification, Table 3-4,
@@ -310,6 +310,12 @@ IPMI_HANDLER(ipmi_picmg_upload_firmware_block, NETFN_GRPEXT, IPMI_PICMG_CMD_HPM_
     uint8_t block_data[HPM_BLOCK_SIZE];
     uint8_t block_sz = req->data_len-2;
 
+    if(block_sz > HPM_BLOCK_SIZE){
+       rsp->data_len = len;
+       rsp->completion_code = IPMI_CC_UNSPECIFIED_ERROR;
+       return;
+    }
+
     if (active_component == NULL) {
         /* Component ID out of range */
         rsp->data[len++] = IPMI_PICMG_GRP_EXT;

diff --git a/modules/hpm.h b/modules/hpm.h
@@ -36,7 +36,7 @@
 #define HPM_ROLLBACK_TIMEOUT 10 /* in 5 seconds counts */
 #define HPM_INACCESSIBILITY_TIMEOUT 10 /* in 5 seconds counts */
 
-#define HPM_BLOCK_SIZE 20
+#define HPM_BLOCK_SIZE 64
 
 /* Components ID */
 enum {
@@ -54,7 +54,7 @@ typedef uint8_t (* t_hpm_activate_firmware)(void);
 
 
 /*
- * Define the "Get target upgrade capabilities" message struct as define in the 
+ * Define the "Get target upgrade capabilities" message struct as define in the
  * Hardware Platform Management IPM Controller Firmware Upgrade Specification, Table 3-3
  */
 typedef union {