From 8c6745d53fcb75c14caa21f3cb917ab6fa5f2bcf Mon Sep 17 00:00:00 2001
From: Jean Cyr <jcyr@dillobits.com>
Date: Thu, 10 Jul 2014 00:41:09 -0400
Subject: [PATCH 1/2] Prevent stack overflow when flashing px4io

Large local variable causing stack overflow when attempting to flash
IO!!!
---
 src/drivers/px4io/px4io_uploader.cpp | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/src/drivers/px4io/px4io_uploader.cpp b/src/drivers/px4io/px4io_uploader.cpp
index 7b6361a7ca..652949e411 100644
--- a/src/drivers/px4io/px4io_uploader.cpp
+++ b/src/drivers/px4io/px4io_uploader.cpp
@@ -39,6 +39,7 @@
 #include <nuttx/config.h>
 
 #include <sys/types.h>
+#include <stdlib.h>
 #include <stdint.h>
 #include <stdbool.h>
 #include <assert.h>
@@ -413,11 +414,17 @@ static int read_with_retry(int fd, void *buf, size_t n)
 int
 PX4IO_Uploader::program(size_t fw_size)
 {
-	uint8_t	file_buf[PROG_MULTI_MAX];
+	uint8_t	*file_buf;
 	ssize_t count;
 	int ret;
 	size_t sent = 0;
 
+	file_buf = (uint8_t *)malloc(PROG_MULTI_MAX);
+	if (!file_buf) {
+		log("Can't allocate program buffer");
+		return -ENOMEM;
+	}
+
 	log("programming %u bytes...", (unsigned)fw_size);
 
 	ret = lseek(_fw_fd, 0, SEEK_SET);
@@ -438,8 +445,10 @@ PX4IO_Uploader::program(size_t fw_size)
 			    (int)errno);
 		}
 
-		if (count == 0)
+		if (count == 0) {
+			free(file_buf);
 			return OK;
+		}
 
 		sent += count;
 
@@ -455,9 +464,12 @@ PX4IO_Uploader::program(size_t fw_size)
 
 		ret = get_sync(1000);
 
-		if (ret != OK)
+		if (ret != OK) {
+			free(file_buf);
 			return ret;
+		}
 	}
+	free(file_buf);
 	return OK;
 }
 

From 12da0efbb24ad135dbacb4b8f90199b3b38cb40d Mon Sep 17 00:00:00 2001
From: Jean Cyr <jcyr@dillobits.com>
Date: Thu, 10 Jul 2014 00:55:33 -0400
Subject: [PATCH 2/2] Read the full buffer

sizeof wont work here since file_buf is now a pointer
---
 src/drivers/px4io/px4io_uploader.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/drivers/px4io/px4io_uploader.cpp b/src/drivers/px4io/px4io_uploader.cpp
index 652949e411..d134c0246e 100644
--- a/src/drivers/px4io/px4io_uploader.cpp
+++ b/src/drivers/px4io/px4io_uploader.cpp
@@ -432,8 +432,8 @@ PX4IO_Uploader::program(size_t fw_size)
 	while (sent < fw_size) {
 		/* get more bytes to program */
 		size_t n = fw_size - sent;
-		if (n > sizeof(file_buf)) {
-			n = sizeof(file_buf);
+		if (n > PROG_MULTI_MAX) {
+			n = PROG_MULTI_MAX;
 		}
 		count = read_with_retry(_fw_fd, file_buf, n);