[U-Boot] [PATCH 7/9] mtd: Make sure the name passed in mtdparts fits in mtd_name[]

Boris Brezillon boris.brezillon at bootlin.com
Mon Nov 19 11:51:19 UTC 2018


The local mtd_name[] variable is limited in size. Return an error if
the name passed in mtdparts does not fit in this local var.

Fixes: 5db66b3aee6f ("cmd: mtd: add 'mtd' command")
Signed-off-by: Boris Brezillon <boris.brezillon at bootlin.com>
---
Changes in v2:
- New patch
---
 drivers/mtd/mtd_uboot.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/drivers/mtd/mtd_uboot.c b/drivers/mtd/mtd_uboot.c
index d551aee20203..0eda36278309 100644
--- a/drivers/mtd/mtd_uboot.c
+++ b/drivers/mtd/mtd_uboot.c
@@ -222,8 +222,8 @@ int mtd_probe_devices(void)
 	while (mtdparts[0] != '\0') {
 		char mtd_name[MTD_NAME_MAX_LEN], *colon;
 		struct mtd_partition *parts;
-		int mtd_name_len, nparts;
-		int ret;
+		unsigned int mtd_name_len;
+		int nparts, ret;
 
 		colon = strchr(mtdparts, ':');
 		if (!colon) {
@@ -231,7 +231,12 @@ int mtd_probe_devices(void)
 			return -EINVAL;
 		}
 
-		mtd_name_len = colon - mtdparts;
+		mtd_name_len = (unsigned int)(colon - mtdparts);
+		if (mtd_name_len + 1 > sizeof(mtd_name)) {
+			printf("MTD name too long: %s\n", mtdparts);
+			return -EINVAL;
+		}
+
 		strncpy(mtd_name, mtdparts, mtd_name_len);
 		mtd_name[mtd_name_len] = '\0';
 		/* Move the pointer forward (including the ':') */
-- 
2.17.1



More information about the U-Boot mailing list