[U-Boot] [PATCH v2] bootm: Avoid 256-byte overflow in fixup_silent_linux()
Doug Anderson
dianders at chromium.org
Thu Oct 20 19:54:58 CEST 2011
This makes fixup_silent_linux() use malloc() to allocate its
working space, meaning that our maximum kernel command line
should only be limited by malloc(). Previously it was silently
overflowing the stack.
Signed-off-by: Doug Anderson <dianders at chromium.org>
---
v2: This is a simpler version of patch 3/4 in my previous patchset that just
uses malloc() without using the general command line munging funcs. We can
separately continue to discuss about the general command func if desired.
common/cmd_bootm.c | 44 ++++++++++++++++++++++++++++++++++----------
1 files changed, 34 insertions(+), 10 deletions(-)
diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c
index ece1b9a..5bddea4 100644
--- a/common/cmd_bootm.c
+++ b/common/cmd_bootm.c
@@ -1200,9 +1200,13 @@ U_BOOT_CMD(
/* helper routines */
/*******************************************************************/
#ifdef CONFIG_SILENT_CONSOLE
+
+#define CONSOLE_ARG "console="
+#define CONSOLE_ARG_LEN (sizeof(CONSOLE_ARG) - 1)
+
static void fixup_silent_linux(void)
{
- char buf[256], *start, *end;
+ char *buf;
char *cmdline = getenv("bootargs");
/* Only fix cmdline when requested */
@@ -1210,25 +1214,45 @@ static void fixup_silent_linux(void)
return;
debug("before silent fix-up: %s\n", cmdline);
- if (cmdline) {
- start = strstr(cmdline, "console=");
+ if (cmdline && (cmdline[0] != '\0')) {
+ char *start = strstr(cmdline, "console=");
if (start) {
- end = strchr(start, ' ');
- strncpy(buf, cmdline, (start - cmdline + 8));
+ char *end = strchr(start, ' ');
+ int num_start_bytes = start - cmdline + CONSOLE_ARG_LEN;
+
+ /* We know cmdline bytes will be more than enough. */
+ buf = malloc(strlen(cmdline) + 1);
+ if (!buf) {
+ debug("WARNING: %s failed to alloc cmdline\n",
+ __func__);
+ return;
+ }
+
+ strncpy(buf, cmdline, num_start_bytes);
if (end)
- strcpy(buf + (start - cmdline + 8), end);
+ strcpy(buf + num_start_bytes, end);
else
- buf[start - cmdline + 8] = '\0';
+ buf[num_start_bytes] = '\0';
} else {
- strcpy(buf, cmdline);
- strcat(buf, " console=");
+ buf = malloc(strlen(cmdline) + 1 + CONSOLE_ARG_LEN + 1);
+ if (!buf) {
+ debug("WARNING: %s failed to alloc cmdline\n",
+ __func__);
+ return;
+ }
+ sprintf(buf, "%s %s", cmdline, CONSOLE_ARG);
}
} else {
- strcpy(buf, "console=");
+ buf = strdup("console=");
+ if (!buf) {
+ debug("WARNING: strdup failed in fixup_silent_linux\n");
+ return;
+ }
}
setenv("bootargs", buf);
debug("after silent fix-up: %s\n", buf);
+ free(buf);
}
#endif /* CONFIG_SILENT_CONSOLE */
--
1.7.2.3
More information about the U-Boot
mailing list