Paul Brook wrote:
> On Wednesday 17 September 2008, Paul Brook wrote:
>   
>> On Wednesday 17 September 2008, Jason Wessel wrote:
>>     
>>> * Fix a memory overrun
>>>     recv_buf[RECV_BUF + 1];
>>>   This has to be + 1 because RECV_BUF is used for memcpy computations
>>>   in usb_serial_read() such that an extra byte is 0..RECV_BUF bytes
>>>   are used.
>>>       
>> I think this is wrong. I can't see any way this code could overflow.
>>     
>
> On further inspection I can see a bug, but the above change is not the correct 
> fix, and it will cause lost data not overflows.  The calculation of 
> first_size is incorrect when the buffer has wrapped.
>   


The overflow was a result of the printf()'s introduced to track and
print all the data.  So it is correct in that you do not need the
RECV_BUF+1 for the buffer for the base patch.  I did not see any kind of
miscalculation with the first_size with or without the wrap condition. 
Regression testing with all the checksummed packets shows zero failures
with the revised attached patch.

Obviously the math error as a result of not using variables that are
large enough is a very real problem.  With results that can easily be
demonstrated.

Jason.