• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Subscribers 51 subscribers
  • Views 298 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC2674R10: OAD: Out of bound memory access while adding OAD service

Tobias Heiss
Intellectual 760 points
Part Number: CC2674R10
Other Parts Discussed in Thread: CC1354P10,

Tool/software:

Hey TI Team,

Example: basic_ble_oad_offchip_LP_EM_CC1354P10_1_tirtos7_ticlang
SDK: simplelink_cc13xx_cc26xx_sdk_7_41_00_17

While using OAD I discovered a serious issue in OAD_AddService.
GATTServApp_InitCharCfg seems to iterate over linkDBNumConns internally.
So iterating over linkDBNumConns in an external loop will write in memory regions beyond oadCCCDTable boundaries which leads to unpredictable crashes.

Best Regards,
Tobias

  • 0
    TI__Mastermind 42100 points

    Hi Tobias,

    Thank you for reaching out. Can you share how you verified that the memory is going out of bounds? I believe the entire region is allocated for OAD purposes.

    Best Regards,

    Jan

  • 0 in reply to Jan
    Intellectual 760 points

    Hi Jan,

    The issue has been discovered implementing OAD in a custom implementation using the oad_service.c from example.
    We changed number of connections from 8 -> 2. In case of the example code it might not crash but it is not safe.

    For verification I used the Memory Browser:

    Number of connections is 2, so oadCCCDTable is 24 bytes.
    But the initialization loop writes 28 bytes.

    Best Regards,

    Tobias

  • 0 in reply to Tobias Heiss
    TI__Mastermind 42100 points

    Hi Tobias,

    Can you clarify what you mean by custom implementation? Are you changing the default OAD scheme provided with the SDK?

    Best Regards,

    Jan

  • 0 in reply to Jan
    Intellectual 760 points

    Hi Jan,

    We use the CC2674R10 on an custom PCB.
    So we did some HW abstraction based changes in SysCfg.
    The OAD scheme was untouched, just taken from the example.

    If you compare the OAD_AddService() implementation from basic_ble_oad_offchip_LP_EM_CC1354P10_1_tirtos7_ticlang with other examle implementations e.g. OAD_open() from simple_peripheral_oad_offchip_CC26X2R1_LAUNCHXL_tirtos7_ticlang you wont find the external for loop to initialize the CCCD.

    Best Regards,
    Tobias

  • 0 in reply to Tobias Heiss
    TI__Mastermind 42100 points

    Hi Tobias,

    Understood, I apologize for the confusion. This likely may be an issue with the version of the OAD_AddService() that was included with the basic_ble example. The SDK  version you are using was among the first SDKs to contain the basic_ble example, so its possible the code used was not ideal. Can you try replacing the external loop with what is done in OAD_open()?

    Best Regards,

    Jan

  • 0 in reply to Jan
    Intellectual 760 points

    Hi Jan,

    Yes, but this requires to copy the service to local space.
    So it would be great if this is fixed in the next SDK release.

    Just to be sure you are aware of this issue and keep tracking it...

    Best Regards,
    Tobias

  • +1 in reply to Tobias Heiss
    TI__Mastermind 42100 points

    Hi Tobias,

    Understood, I will report this to the R&D team and file a ticket to get this address as soon as possible.

    Thank you for reporting this! I truly apologize for any inconvenience this may be causing.

    Best Regards,

    Jan