Fix a problem where filesystem writes could overwrite the firmware.

dbetz · dbetz · commit a5bcb63560c3 · 2019-07-31T19:01:50.000-04:00
Fix a bug where connections can be leaked on connection failures.
diff --git a/parallax/cgiprop.c b/parallax/cgiprop.c
@@ -146,16 +146,19 @@ int ICACHE_FLASH_ATTR cgiPropInit()
 //    GPIO_OUTPUT_SET(flashConfig.reset_pin, 1);
     GPIO_DIS_OUTPUT(flashConfig.reset_pin);
 
+    uint32_t fs_base, fs_size;
+    fs_base = roffs_base_address(&fs_size);
+    
     int ret;
-    if ((ret = roffs_mount(roffs_base_address())) != 0) {
+    if ((ret = roffs_mount(fs_base, fs_size)) != 0) {
         os_printf("Mounting flash filesystem failed: %d\n", ret);
         os_printf("Attempting to format...");
-        if ((ret = roffs_format(roffs_base_address())) != 0) {
+        if ((ret = roffs_format(fs_base)) != 0) {
             os_printf("Error formatting filesystem: %d\n", ret);
             return -1;
         }
         os_printf("Flash filesystem formatted.\n");
-        if ((ret = roffs_mount(roffs_base_address())) != 0) {
+        if ((ret = roffs_mount(fs_base, fs_size)) != 0) {
             os_printf("Mounting newly formatted flash filesystem failed: %d\n", ret);
             return -1;
         }
diff --git a/parallax/httpdroffs.c b/parallax/httpdroffs.c
@@ -117,11 +117,15 @@ int ICACHE_FLASH_ATTR cgiRoffsFormat(HttpdConnData *connData)
 #endif
     if (connData->conn == NULL)
         return HTTPD_CGI_DONE;
-    if (roffs_format(roffs_base_address()) != 0) {
+        
+    uint32_t fs_base, fs_size;
+    fs_base = roffs_base_address(&fs_size);
+    
+    if (roffs_format(fs_base) != 0) {
         httpdSendResponse(connData, 400, "Error formatting filesystem\r\n", -1);
         return HTTPD_CGI_DONE;
     }
-    if (roffs_mount(roffs_base_address()) != 0) {
+    if (roffs_mount(fs_base, fs_size) != 0) {
         httpdSendResponse(connData, 400, "Error mounting newly formatted flash filesystem\r\n", -1);
         return HTTPD_CGI_DONE;
     }
diff --git a/parallax/roffs.c b/parallax/roffs.c
@@ -30,9 +30,14 @@ Connector to let httpd use the espfs filesystem to serve the files in it.
 
 #include "roffsformat.h"
 
+// default filesystem size in flash
+#define FLASH_FILESYSTEM_SIZE_1M    (128*1024)
+#define FLASH_FILESYSTEM_SIZE_2M    (1*1024*1024)
+#define FLASH_FILESYSTEM_SIZE_4M    (3*1024*1024)
+
 // default filesystem base address in flash
-#define FLASH_FILESYSTEM_BASE_1M    (512*1024 - 128*1024)
-#define FLASH_FILESYSTEM_BASE_2M    (1024*1024)
+#define FLASH_FILESYSTEM_BASE_1M    (512*1024-FLASH_FILESYSTEM_SIZE_1M)
+#define FLASH_FILESYSTEM_BASE_2M_4M (1024*1024)
 
 // open file structure
 struct ROFFS_FILE_STRUCT {
@@ -48,30 +53,41 @@ struct ROFFS_FILE_STRUCT {
 
 // initialize to an invalid address to indicate that no filesystem is mounted
 static uint32_t fsData = BAD_FILESYSTEM_BASE;
+static uint32_t fsSize = 0;
+static uint32_t fsTop = 0;
 
 static int readFlash(uint32_t addr, void *buf, int size);
 static int writeFlash(uint32_t addr, void *buf, int size);
 static int updateFlash(uint32_t addr, void *buf, int size);
 
-uint32_t roffs_base_address(void)
+uint32_t roffs_base_address(uint32_t *pSize)
 {
     uint32_t base;
     switch (system_get_flash_size_map()) {
-    case FLASH_SIZE_8M_MAP_512_512:
+    case FLASH_SIZE_8M_MAP_512_512:     // 1MB
         base = FLASH_FILESYSTEM_BASE_1M;
+        *pSize = FLASH_FILESYSTEM_SIZE_1M;
+        os_printf("1MB flash: base %08x, size %d\n", base, *pSize);
+        break;
+    case FLASH_SIZE_16M_MAP_512_512:    // 2MB
+        base = FLASH_FILESYSTEM_BASE_2M_4M;
+        *pSize = FLASH_FILESYSTEM_SIZE_2M;
+        os_printf("2MB flash: base %08x, size %d\n", base, *pSize);
         break;
-    case FLASH_SIZE_16M_MAP_512_512:
-    case FLASH_SIZE_32M_MAP_512_512:
-        base = FLASH_FILESYSTEM_BASE_2M;
+    case FLASH_SIZE_32M_MAP_512_512:    // 4MB
+        base = FLASH_FILESYSTEM_BASE_2M_4M;
+        *pSize = FLASH_FILESYSTEM_SIZE_4M;
+        os_printf("4MB flash: base %08x, size %d\n", base, *pSize);
         break;
     default:
         base = 0;
+        os_printf("Unknown flash size\n");
         break;
     }
     return base;
 }
 
-int ICACHE_FLASH_ATTR roffs_mount(uint32_t flashAddress)
+int ICACHE_FLASH_ATTR roffs_mount(uint32_t flashAddress, uint32_t flashSize)
 {
 	RoFsHeader testHeader;
 
@@ -91,8 +107,11 @@ int ICACHE_FLASH_ATTR roffs_mount(uint32_t flashAddress)
 		return -3;
 
 	// filesystem is mounted successfully
-    DBG("mount: flash filesystem mounted at %08x\n", flashAddress);
+    DBG("mount: flash filesystem mounted at %08x, size %d\n", flashAddress, flashSize);
     fsData = flashAddress;
+    fsSize = flashSize;
+    fsTop = fsData + fsSize;
+    
     return 0;
 }
 
@@ -509,6 +528,11 @@ DBG("create: can't find insertion point\n");
         return NULL;
     }
 
+    if (insertionOffset + 2 * sizeof(RoFsHeader) > fsTop) {
+DBG("write: insufficient space\n");
+        return NULL;
+    }
+    
     if (!(file = (ROFFS_FILE *)os_malloc(sizeof(ROFFS_FILE)))) {
 DBG("create: insufficient memory\n");
         return NULL;
@@ -559,6 +583,10 @@ DBG("create: error reading new file name\n");
 int ICACHE_FLASH_ATTR roffs_write(ROFFS_FILE *file, char *buf, int len)
 {
     int roundedLen = (len + 3) & ~3;
+    if (file->start + file->size + roundedLen > fsTop) {
+DBG("write: insufficient space\n");
+        return -1;
+    }
     if (writeFlash(file->start + file->size, (uint32 *)buf, roundedLen) != SPI_FLASH_RESULT_OK) {
 DBG("write: error writing to file\n");
         return -1;
diff --git a/parallax/roffs.h b/parallax/roffs.h
@@ -28,8 +28,8 @@ Connector to let httpd use the espfs filesystem to serve the files in it.
 #include "roffsformat.h"
 typedef struct ROFFS_FILE_STRUCT ROFFS_FILE;
 
-uint32_t roffs_base_address(void);
-int roffs_mount(uint32_t flashAddress);
+uint32_t roffs_base_address(uint32_t *pSize);
+int roffs_mount(uint32_t flashAddress, uint32_t flashSize);
 int roffs_format(uint32_t flashAddress);
 int roffs_filecount(int *pCount);
 int roffs_fileinfo(int index, char *fileName, int *pFileSize);
diff --git a/parallax/sscp-tcp.c b/parallax/sscp-tcp.c
@@ -72,6 +72,7 @@ void ICACHE_FLASH_ATTR tcp_do_connect(int argc, char *argv[])
             sscp_log("TCP: looking up '%s'", argv[1]);
             return;
         default:
+            sscp_close_connection(c);
             sscp_sendResponse("E,%d", SSCP_ERROR_LOOKUP_FAILED);
             return;
         }
@@ -80,6 +81,7 @@ void ICACHE_FLASH_ATTR tcp_do_connect(int argc, char *argv[])
     memcpy(conn->proto.tcp->remote_ip, &ipAddr.addr, 4);
 
     if (espconn_connect(conn) != ESPCONN_OK) {
+        sscp_close_connection(c);
         sscp_sendResponse("E,%d", SSCP_ERROR_CONNECT_FAILED);
         return;
     }

Original file line number	Diff line number	Diff line change
`@@ -72,6 +72,7 @@ void ICACHE_FLASH_ATTR tcp_do_connect(int argc, char *argv[])`
`72`	`72`	`sscp_log("TCP: looking up '%s'", argv[1]);`
`73`	`73`	`return;`
`74`	`74`	`default:`
	`75`	`+ sscp_close_connection(c);`
`75`	`76`	`sscp_sendResponse("E,%d", SSCP_ERROR_LOOKUP_FAILED);`
`76`	`77`	`return;`
`77`	`78`	`}`
`@@ -80,6 +81,7 @@ void ICACHE_FLASH_ATTR tcp_do_connect(int argc, char *argv[])`
`80`	`81`	`memcpy(conn->proto.tcp->remote_ip, &ipAddr.addr, 4);`
`81`	`82`
`82`	`83`	`if (espconn_connect(conn) != ESPCONN_OK) {`
	`84`	`+ sscp_close_connection(c);`
`83`	`85`	`sscp_sendResponse("E,%d", SSCP_ERROR_CONNECT_FAILED);`
`84`	`86`	`return;`
`85`	`87`	`}`