NAND buffer overflow

JOHN E LENZ jelenz at
Sun Jun 27 04:38:03 EDT 2004

I was getting some wierd errors accessing NAND flash.  I eventually traced the problem back to a buffer overflow in nand_read_raw.  This is using the current mtd CVS linked into a 2.6.7 kernel.

Here is the senerio.

in nand_bbt.c:nand_memory_bbt function calls create_bbt with
mtd->data_buf.  mtd->data_buf is of size 528

in create_bbt it calls nand_read_raw with the same buffer pointer and a readlen of 1024. Whups!

nand_read_raw drops into a loop and reads chuncks of pagesize into the buffer.  pagesize is 528, but the length to read is 1056, so it calls read_buf twice.  The problem is, the second call to read_buf will overflow and trash some memory since the buffer it is reading into is only 528 bytes.

The actual flash device is a Toshiba NAND 64MiB 3v3, 8-bit.


PS.  I tried sending this message with my standard mail client, but it is rejected by "Message has a suspicious header"  No other mailing lists I am on have problems.  What is this suspicious header and why is it blocking my email.  I wish the reject message would give me more information so I could actually fix the problem!!!  Oh I was going to attach the hardware driver I am using to control the nand device, but I don't really have access to it from this web client.

More information about the linux-mtd mailing list