Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: Embedded_web EmailButton EmailButton HTTPClient_Weather ... more
Issue: UDPSocket::receiveFrom --- no length check for receive buffer
I found an issue where there is no check on the udp_size to that of the target buffer. The variable length is passed to this function but not used (describes the length of the incoming buffer). I ran into some cases where the size based back from the eth->recv function was greater than the buffer causing overruns.
To treat this issue, I just return -1. This may not be the correct behavior for this function.
file: UDPSocket.cpp
// -1 if unsuccessful, else number of bytes received
int UDPSocket::receiveFrom(Endpoint &remote, char *buffer, int length)
{
uint8_t info[8];
int size = eth->wait_readable(_sock_fd, _blocking ? -1 : _timeout, sizeof(info));
if (size < 0) {
return -1;
}
eth->recv(_sock_fd, (char*)info, sizeof(info));
readEndpoint(remote, info);
int udp_size = info[6]<<8|info[7];
//TEST_ASSERT(udp_size <= (size-sizeof(info)));
if (udp_size > (size-sizeof(info))) {
return -1;
}
/* Perform Length check here to prevent buffer overrun */
if (udp_size > length)
{
//printf("udp_size: %d\n",udp_size);
return -1;
}
return eth->recv(_sock_fd, buffer, udp_size);
}
you're right. To overcome, if it happens, I think driver return error code and left its udp data on receive buffer in WIZnet chip for next operation. I'll consider about that and let you know the changes. Very Thanks, Sean.