Bug 1533 - scpi-pps config_list() does out-of-bounds array access when accessing channel_spec (channels) array
Summary: scpi-pps config_list() does out-of-bounds array access when accessing channel...
Status: RESOLVED FIXED
Alias: None
Product: libsigrok
Classification: Unclassified
Component: Driver: scpi-pps (show other bugs)
Version: unreleased development snapshot
Hardware: All All
: Normal normal
Target Milestone: ---
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-04-08 12:56 CEST by Florian Schmidt
Modified: 2020-04-11 16:06 CEST (History)
1 user (show)


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Florian Schmidt 2020-04-08 12:56:22 CEST 
causes problems only if PPS has more than one measurable output unit per channel
(like voltage and current).

calling config_list() for channel groups other than only the first channel might result in out-of-bounds access returning garbage.

found with a 4 channel PPS that reports voltage & current per "hardware" channel.

$ sigrok-cli -g 3 --show
reported garbage limits for voltage_target & current_limits.
also SmuView displayed invalid/unusable ranges.

seen with libsigrok master HEAD 2b001a766ad5eadb38ce4025b62b06522b6c52c6.

proposed fix in pull-request https://github.com/sigrokproject/libsigrok/pull/56

i think the problem is caused by using ((struct sr_channel*)cg->channels->data)->index as index into devc->device->channels.
bot scpi-pps/api.c probe_device() can create more channels than there are (struct channel_spec)'s in that array. (comment there says "Create one channel per measurable output unit.") the code there also provides a (struct pps_channel) that includes the "hw_output_idx" which can be used a valid index. this is what i used in that pull-request.
Comment 1 Uwe Hermann 2020-04-11 16:06:39 CEST 
Fixed in 8f3c77db26dece82109b386ad5ba7ea344b1ec8f, thanks!