[U-Boot] [PATCH v2] bootm: Avoid 256-byte overflow in fixup_silent_linux()

Thu Oct 20 19:54:58 CEST 2011

This makes fixup_silent_linux() use malloc() to allocate its
working space, meaning that our maximum kernel command line
should only be limited by malloc().  Previously it was silently
overflowing the stack.

Signed-off-by: Doug Anderson <dianders at chromium.org>
---
v2: This is a simpler version of patch 3/4 in my previous patchset that just
uses malloc() without using the general command line munging funcs.  We can
separately continue to discuss about the general command func if desired.

 common/cmd_bootm.c |   44 ++++++++++++++++++++++++++++++++++----------
 1 files changed, 34 insertions(+), 10 deletions(-)

diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c
index ece1b9a..5bddea4 100644
--- a/common/cmd_bootm.c
+++ b/common/cmd_bootm.c
@@ -1200,9 +1200,13 @@ U_BOOT_CMD(
 /* helper routines */
 /*******************************************************************/
 #ifdef CONFIG_SILENT_CONSOLE
+
+#define CONSOLE_ARG     "console="
+#define CONSOLE_ARG_LEN (sizeof(CONSOLE_ARG) - 1)
+
 static void fixup_silent_linux(void)
 {
-	char buf[256], *start, *end;
+	char *buf;
 	char *cmdline = getenv("bootargs");
 
 	/* Only fix cmdline when requested */
@@ -1210,25 +1214,45 @@ static void fixup_silent_linux(void)
 		return;
 
 	debug("before silent fix-up: %s\n", cmdline);
-	if (cmdline) {
-		start = strstr(cmdline, "console=");
+	if (cmdline && (cmdline[0] != '\0')) {
+		char *start = strstr(cmdline, "console=");
 		if (start) {
-			end = strchr(start, ' ');
-			strncpy(buf, cmdline, (start - cmdline + 8));
+			char *end = strchr(start, ' ');
+			int num_start_bytes = start - cmdline + CONSOLE_ARG_LEN;
+
+			/* We know cmdline bytes will be more than enough. */
+			buf = malloc(strlen(cmdline) + 1);
+			if (!buf) {
+				debug("WARNING: %s failed to alloc cmdline\n",
+				      __func__);
+				return;
+			}
+
+			strncpy(buf, cmdline, num_start_bytes);
 			if (end)
-				strcpy(buf + (start - cmdline + 8), end);
+				strcpy(buf + num_start_bytes, end);
 			else
-				buf[start - cmdline + 8] = '\0';
+				buf[num_start_bytes] = '\0';
 		} else {
-			strcpy(buf, cmdline);
-			strcat(buf, " console=");
+			buf = malloc(strlen(cmdline) + 1 + CONSOLE_ARG_LEN + 1);
+			if (!buf) {
+				debug("WARNING: %s failed to alloc cmdline\n",
+				      __func__);
+				return;
+			}
+			sprintf(buf, "%s %s", cmdline, CONSOLE_ARG);
 		}
 	} else {
-		strcpy(buf, "console=");
+		buf = strdup("console=");
+		if (!buf) {
+			debug("WARNING: strdup failed in fixup_silent_linux\n");
+			return;
+		}
 	}
 
 	setenv("bootargs", buf);
 	debug("after silent fix-up: %s\n", buf);
+	free(buf);
 }
 #endif /* CONFIG_SILENT_CONSOLE */
 
-- 
1.7.2.3

