Added checks for xIndex in ThreadLocalStorage APIs

It was possible for a third party that already independently gained the
ability to execute injected code to read from or write to arbitrary
addresses by passing a negative argument as the xIndex parameter to
pvTaskGetThreadLocalStoragePointer() or
vTaskSetThreadLocalStoragePointer respectively.

This commit adds checks to ensure that passing a negative argument as
the xIndex parameter does not cause arbitrary read or write.

We thank Certibit Consulting, LLC for reporting this issue.

Signed-off-by: Gaurav Aggarwal <[email protected]>

Author: aggarg

tasks.c

@@ -3600,7 +3600,8 @@ static portTASK_FUNCTION( prvIdleTask, pvParameters )
     {
         TCB_t * pxTCB;
 
-        if( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS )
+        if( ( xIndex >= 0 ) &&
+            ( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS ) )
         {
             pxTCB = prvGetTCBFromHandle( xTaskToSet );
             configASSERT( pxTCB != NULL );
@@ -3619,7 +3620,8 @@ static portTASK_FUNCTION( prvIdleTask, pvParameters )
         void * pvReturn = NULL;
         TCB_t * pxTCB;
 
-        if( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS )
+        if( ( xIndex >= 0 ) &&
+            ( xIndex < configNUM_THREAD_LOCAL_STORAGE_POINTERS ) )
         {
             pxTCB = prvGetTCBFromHandle( xTaskToQuery );
             pvReturn = pxTCB->pvThreadLocalStoragePointers[ xIndex ];