From 976c4173f0813ea5d3d2eaf35a55250100bf565d Mon Sep 17 00:00:00 2001 From: Yongrong Wang Date: Tue, 23 Jul 2024 11:15:16 +0800 Subject: [PATCH] rpmsg_ping.c: fix msg data memset length The range of memset exceeds the size of the buffer Signed-off-by: Yongrong Wang --- drivers/rpmsg/rpmsg_ping.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/drivers/rpmsg/rpmsg_ping.c b/drivers/rpmsg/rpmsg_ping.c index 9996285c4c254..28f3bcf3085f7 100644 --- a/drivers/rpmsg/rpmsg_ping.c +++ b/drivers/rpmsg/rpmsg_ping.c @@ -101,8 +101,6 @@ static int rpmsg_ping_ept_cb(FAR struct rpmsg_endpoint *ept, i, data_len); break; } - - msg->data[i] = 0; } } @@ -132,9 +130,6 @@ static int rpmsg_ping_once(FAR struct rpmsg_endpoint *ept, int len, return -ENOMEM; } - len = MAX(len, sizeof(struct rpmsg_ping_msg_s)); - len = MIN(len, *buf_len); - msg->cmd = cmd; if ((msg->cmd & RPMSG_PING_RANDOMLEN_MASK) != 0) @@ -146,13 +141,16 @@ static int rpmsg_ping_once(FAR struct rpmsg_endpoint *ept, int len, msg->len = len; } + msg->len = MAX(msg->len, sizeof(struct rpmsg_ping_msg_s)); + msg->len = MIN(msg->len, *buf_len); + if ((msg->cmd & RPMSG_PING_CHECK_MASK) != 0) { memset(msg->data, i, msg->len - sizeof(struct rpmsg_ping_msg_s) + 1); } else { - memset(msg->data, 0, msg->len); + memset(msg->data, 0, msg->len - sizeof(struct rpmsg_ping_msg_s) + 1); } if ((msg->cmd & RPMSG_PING_ACK_MASK) != 0)