Skip to content

Commit d3f7bff

Browse files
committed
fix: check overflow before modifying IPC state in send functions
_rt_mb_send_wait, _rt_mq_send_wait, and rt_mq_urgent modified mailbox and message queue data structures before checking overflow conditions. On overflow, they returned errors without rolling back changes, causing state corruption. Moved overflow checks before state modifications. Signed-off-by: Srikanth Patchava <spatchava@meta.com> Signed-off-by: Srikanth Patchava <srikanth.patchava@outlook.com> Signed-off-by: Srikanth Patchava <srpatcha@users.noreply.github.com>
1 parent ddd2297 commit d3f7bff

1 file changed

Lines changed: 32 additions & 34 deletions

File tree

src/ipc.c

Lines changed: 32 additions & 34 deletions
Original file line numberDiff line numberDiff line change
@@ -140,10 +140,7 @@ struct rt_thread *rt_susp_list_dequeue(rt_list_t *susp_list, rt_err_t thread_err
140140
}
141141
rt_sched_unlock(slvl);
142142

143-
if (thread != RT_NULL)
144-
{
145-
LOG_D("resume thread:%s\n", thread->parent.name);
146-
}
143+
LOG_D("resume thread:%s\n", (thread == RT_NULL) ? "NULL" : thread->parent.name);
147144

148145
return thread;
149146
}
@@ -2664,23 +2661,21 @@ static rt_err_t _rt_mb_send_wait(rt_mailbox_t mb,
26642661
}
26652662
}
26662663

2664+
if(mb->entry >= RT_MB_ENTRY_MAX)
2665+
{
2666+
rt_spin_unlock_irqrestore(&(mb->spinlock), level);
2667+
return -RT_EFULL; /* value overflowed */
2668+
}
2669+
26672670
/* set ptr */
26682671
mb->msg_pool[mb->in_offset] = value;
26692672
/* increase input offset */
26702673
++ mb->in_offset;
26712674
if (mb->in_offset >= mb->size)
26722675
mb->in_offset = 0;
26732676

2674-
if(mb->entry < RT_MB_ENTRY_MAX)
2675-
{
2676-
/* increase message entry */
2677-
mb->entry ++;
2678-
}
2679-
else
2680-
{
2681-
rt_spin_unlock_irqrestore(&(mb->spinlock), level);
2682-
return -RT_EFULL; /* value overflowed */
2683-
}
2677+
/* increase message entry */
2678+
mb->entry ++;
26842679

26852680
/* resume suspended thread */
26862681
if (!rt_list_isempty(&mb->parent.suspend_thread))
@@ -3506,6 +3501,16 @@ static rt_err_t _rt_mq_send_wait(rt_mq_t mq,
35063501

35073502
/* disable interrupt */
35083503
level = rt_spin_lock_irqsave(&(mq->spinlock));
3504+
3505+
if(mq->entry >= RT_MQ_ENTRY_MAX)
3506+
{
3507+
/* return message to free list */
3508+
msg->next = (struct rt_mq_message *)mq->msg_queue_free;
3509+
mq->msg_queue_free = msg;
3510+
rt_spin_unlock_irqrestore(&(mq->spinlock), level);
3511+
return -RT_EFULL; /* value overflowed */
3512+
}
3513+
35093514
#ifdef RT_USING_MESSAGEQUEUE_PRIORITY
35103515
msg->prio = prio;
35113516
if (mq->msg_queue_head == RT_NULL)
@@ -3547,16 +3552,8 @@ static rt_err_t _rt_mq_send_wait(rt_mq_t mq,
35473552
mq->msg_queue_head = msg;
35483553
#endif
35493554

3550-
if(mq->entry < RT_MQ_ENTRY_MAX)
3551-
{
3552-
/* increase message entry */
3553-
mq->entry ++;
3554-
}
3555-
else
3556-
{
3557-
rt_spin_unlock_irqrestore(&(mq->spinlock), level);
3558-
return -RT_EFULL; /* value overflowed */
3559-
}
3555+
/* increase message entry */
3556+
mq->entry ++;
35603557

35613558
/* resume suspended thread */
35623559
if (!rt_list_isempty(&mq->parent.suspend_thread))
@@ -3697,6 +3694,15 @@ rt_err_t rt_mq_urgent(rt_mq_t mq, const void *buffer, rt_size_t size)
36973694

36983695
level = rt_spin_lock_irqsave(&(mq->spinlock));
36993696

3697+
if(mq->entry >= RT_MQ_ENTRY_MAX)
3698+
{
3699+
/* return message to free list */
3700+
msg->next = (struct rt_mq_message *)mq->msg_queue_free;
3701+
mq->msg_queue_free = msg;
3702+
rt_spin_unlock_irqrestore(&(mq->spinlock), level);
3703+
return -RT_EFULL; /* value overflowed */
3704+
}
3705+
37003706
/* link msg to the beginning of message queue */
37013707
msg->next = (struct rt_mq_message *)mq->msg_queue_head;
37023708
mq->msg_queue_head = msg;
@@ -3705,16 +3711,8 @@ rt_err_t rt_mq_urgent(rt_mq_t mq, const void *buffer, rt_size_t size)
37053711
if (mq->msg_queue_tail == RT_NULL)
37063712
mq->msg_queue_tail = msg;
37073713

3708-
if(mq->entry < RT_MQ_ENTRY_MAX)
3709-
{
3710-
/* increase message entry */
3711-
mq->entry ++;
3712-
}
3713-
else
3714-
{
3715-
rt_spin_unlock_irqrestore(&(mq->spinlock), level);
3716-
return -RT_EFULL; /* value overflowed */
3717-
}
3714+
/* increase message entry */
3715+
mq->entry ++;
37183716

37193717
/* resume suspended thread */
37203718
if (!rt_list_isempty(&mq->parent.suspend_thread))

0 commit comments

Comments
 (0)