openocd bug report - use buffer array out range

static int gdb_read_memory_packet(struct connection *connection,

char const *packet, int packet_size)

{

struct target *target = get_target_from_connection(connection);

char *separator;

uint32_t addr = 0;

uint32_t len = 0;

uint8_t *buffer;

char *hex_buffer;

int retval = ERROR_OK;

/* skip command character */

packet++;

addr = strtoul(packet, &separator, 16);

if (*separator != ‘,’) {

LOG_ERROR(“incomplete read memory packet received, dropping connection”);

return ERROR_SERVER_REMOTE_CLOSED;

}

len = strtoul(separator + 1, NULL, 16);

if (!len) {

LOG_WARNING(“invalid read memory packet received (len == 0)”);

gdb_put_packet(connection, NULL, 0);

return ERROR_OK;

}

buffer = malloc(len); ---------> len is 1 , buffer address is 0x928dd0

LOG_DEBUG(“addr: 0x%8.8” PRIx32 “, len: 0x%8.8” PRIx32 “”, addr, len);

retval = target_read_buffer(target, addr, len, buffer);

}

//when call h_u32_to_le use 4 bytes, buf address 0x928dd0, same as buffer

static inline void h_u32_to_le(uint8_t* buf, int val)

{

buf[3] = (uint8_t) (val >> 24);

buf[2] = (uint8_t) (val >> 16);

buf[1] = (uint8_t) (val >> 8);

buf[0] = (uint8_t) (val >> 0);

}


out of range