[U-Boot] [PATCH 7/9] mtd: Make sure the name passed in mtdparts fits in mtd_name[]
Boris Brezillon
boris.brezillon at bootlin.com
Mon Nov 19 11:51:19 UTC 2018
The local mtd_name[] variable is limited in size. Return an error if
the name passed in mtdparts does not fit in this local var.
Fixes: 5db66b3aee6f ("cmd: mtd: add 'mtd' command")
Signed-off-by: Boris Brezillon <boris.brezillon at bootlin.com>
---
Changes in v2:
- New patch
---
drivers/mtd/mtd_uboot.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/mtd/mtd_uboot.c b/drivers/mtd/mtd_uboot.c
index d551aee20203..0eda36278309 100644
--- a/drivers/mtd/mtd_uboot.c
+++ b/drivers/mtd/mtd_uboot.c
@@ -222,8 +222,8 @@ int mtd_probe_devices(void)
while (mtdparts[0] != '\0') {
char mtd_name[MTD_NAME_MAX_LEN], *colon;
struct mtd_partition *parts;
- int mtd_name_len, nparts;
- int ret;
+ unsigned int mtd_name_len;
+ int nparts, ret;
colon = strchr(mtdparts, ':');
if (!colon) {
@@ -231,7 +231,12 @@ int mtd_probe_devices(void)
return -EINVAL;
}
- mtd_name_len = colon - mtdparts;
+ mtd_name_len = (unsigned int)(colon - mtdparts);
+ if (mtd_name_len + 1 > sizeof(mtd_name)) {
+ printf("MTD name too long: %s\n", mtdparts);
+ return -EINVAL;
+ }
+
strncpy(mtd_name, mtdparts, mtd_name_len);
mtd_name[mtd_name_len] = '\0';
/* Move the pointer forward (including the ':') */
--
2.17.1
More information about the U-Boot
mailing list