[U-Boot] [PATCH 1/1] ARM64: zynqmp: avoid out of buffer access

Heinrich Schuchardt xypron.glpk at gmx.de
Sun Jul 30 20:18:18 UTC 2017


strncat(a, b, c) appends a maximum of c characters plus the 0 byte
to a.

In board_init we first write 4 characters plus 0 byte to version.
So only ZYNQMP_VERSION_SIZE - 5 additional characters fit into
version.

The problem was indicated by cppcheck.

Signed-off-by: Heinrich Schuchardt <xypron.glpk at gmx.de>
---
 board/xilinx/zynqmp/zynqmp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/board/xilinx/zynqmp/zynqmp.c b/board/xilinx/zynqmp/zynqmp.c
index 51a3d9f276..bbcab9869e 100644
--- a/board/xilinx/zynqmp/zynqmp.c
+++ b/board/xilinx/zynqmp/zynqmp.c
@@ -133,10 +133,10 @@ int board_init(void)
 	if (current_el() != 3) {
 		static char version[ZYNQMP_VERSION_SIZE];
 
-		strncat(version, "xczu", ZYNQMP_VERSION_SIZE);
+		strncat(version, "xczu", 4);
 		zynqmppl.name = strncat(version,
 					zynqmp_get_silicon_idcode_name(),
-					ZYNQMP_VERSION_SIZE);
+					ZYNQMP_VERSION_SIZE - 5);
 		printf("Chip ID:\t%s\n", zynqmppl.name);
 		fpga_init();
 		fpga_add(fpga_xilinx, &zynqmppl);
-- 
2.13.2



More information about the U-Boot mailing list