[U-Boot] [PATCH] new env: fix off-by-one error in setenv command

Wolfgang Denk wd at denx.de
Sun Jul 18 00:48:34 CEST 2010


Fix an off-by-one error in the string concatenation for the setevn
command which would write over the end of the allocated area,
resulting eventually in a crash due to corruption of the malloc
metadata.

Signed-off-by: Wolfgang Denk <wd at denx.de>
---
Posted as incremental patch here to provide quick fix to testers (also
pushed to "hashtable" branch in u-boot-testing repo. Will be squashed
into new env code patch when resubmitting.

 common/cmd_nvedit.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/common/cmd_nvedit.c b/common/cmd_nvedit.c
index 976a30b..010d003 100644
--- a/common/cmd_nvedit.c
+++ b/common/cmd_nvedit.c
@@ -273,7 +273,7 @@ int _do_env_set (int flag, int argc, char * const argv[])
 	/*
 	 * Insert / replace new value
 	 */
-	for (i=2,len=1; i<argc; ++i) {
+	for (i=2,len=0; i<argc; ++i) {
 		len += strlen(argv[i]) + 1;
 	}
 	if ((value = malloc(len)) == NULL) {
@@ -285,7 +285,7 @@ int _do_env_set (int flag, int argc, char * const argv[])
 
 		while ((*s++ = *v++) != '\0')
 			;
-		*s++ = ' ';
+		*(s-1) = ' ';
 	}
 	if (s != value)
 		*--s = '\0';
-- 
1.7.1.1



More information about the U-Boot mailing list