Skip to content

Commit 72ad935

Browse files
devytedevyte
authored
Fix rtc mem bounds check (#5372)
1 parent 3d70f43 commit 72ad935

File tree

1 file changed

+39
-3
lines changed

1 file changed

+39
-3
lines changed

Diff for: cores/esp8266/Esp.cpp

+39-3
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@
2222
#include "flash_utils.h"
2323
#include "eboot_command.h"
2424
#include <memory>
25-
#include <interrupts.h>
25+
#include "interrupts.h"
2626
#include "MD5Builder.h"
2727
#include "umm_malloc/umm_malloc.h"
2828
#include "cont.h"
@@ -132,9 +132,43 @@ uint64_t EspClass::deepSleepMax()
132132

133133
}
134134

135+
/*
136+
Layout of RTC Memory is as follows:
137+
Ref: Espressif doc 2C-ESP8266_Non_OS_SDK_API_Reference, section 3.3.23 (system_rtc_mem_write)
138+
139+
|<------system data (256 bytes)------->|<-----------------user data (512 bytes)--------------->|
140+
141+
SDK function signature:
142+
bool system_rtc_mem_read (
143+
uint32 des_addr,
144+
void * src_addr,
145+
uint32 save_size
146+
)
147+
148+
The system data section can't be used by the user, so:
149+
des_addr must be >=64 (i.e.: 256/4) and <192 (i.e.: 768/4)
150+
src_addr is a pointer to data
151+
save_size is the number of bytes to write
152+
153+
For the method interface:
154+
offset is the user block number (block size is 4 bytes) must be >= 0 and <128
155+
data is a pointer to data, 4-byte aligned
156+
size is number of bytes in the block pointed to by data
157+
158+
Same for write
159+
160+
Note: If the Updater class is in play, e.g.: the application uses OTA, the eboot
161+
command will be stored into the first 128 bytes of user data, then it will be
162+
retrieved by eboot on boot. That means that user data present there will be lost.
163+
Ref:
164+
- discussion in PR #5330.
165+
- https://github.com/esp8266/esp8266-wiki/wiki/Memory-Map#memmory-mapped-io-registers
166+
- Arduino/bootloaders/eboot/eboot_command.h RTC_MEM definition
167+
*/
168+
135169
bool EspClass::rtcUserMemoryRead(uint32_t offset, uint32_t *data, size_t size)
136170
{
137-
if (size + offset > 512) {
171+
if (offset * 4 + size > 512 || size == 0) {
138172
return false;
139173
} else {
140174
return system_rtc_mem_read(64 + offset, data, size);
@@ -143,13 +177,15 @@ bool EspClass::rtcUserMemoryRead(uint32_t offset, uint32_t *data, size_t size)
143177

144178
bool EspClass::rtcUserMemoryWrite(uint32_t offset, uint32_t *data, size_t size)
145179
{
146-
if (size + offset > 512) {
180+
if (offset * 4 + size > 512 || size == 0) {
147181
return false;
148182
} else {
149183
return system_rtc_mem_write(64 + offset, data, size);
150184
}
151185
}
152186

187+
188+
153189
extern "C" void __real_system_restart_local();
154190
void EspClass::reset(void)
155191
{

0 commit comments

Comments
 (0)