[PATCH] drivers/mtd/ubispl/ubispl.c: limit copy size
Benedikt Spranger
b.spranger at linutronix.de
Mon Aug 4 15:37:36 CEST 2025
The fastmap VID header is embedded in struct ubi_scan_info. During fastmap
scan, the header is copied into struct ubi_scan_info, if valid. The former
code mixed up the amount of copied bytes and copied more bytes than
nessesary. This had no side effect, since the affected struct members are
uninitialized at that point and overwritten later.
Limit the copied bytes to the VID header size.
Signed-off-by: Benedikt Spranger <b.spranger at linutronix.de>
Reported-by: Andrew Goodbody <andrew.goodbody at linaro.org>
---
drivers/mtd/ubispl/ubispl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mtd/ubispl/ubispl.c b/drivers/mtd/ubispl/ubispl.c
index 9face5fae15..0143caa051d 100644
--- a/drivers/mtd/ubispl/ubispl.c
+++ b/drivers/mtd/ubispl/ubispl.c
@@ -779,7 +779,7 @@ static int ubi_scan_fastmap(struct ubi_scan_info *ubi,
* that already so we merily copy it over.
*/
if (pnum == fm_anchor)
- memcpy(vh, ubi->blockinfo + pnum, sizeof(*fm));
+ memcpy(vh, ubi->blockinfo + pnum, sizeof(*vh));
if (i == 0) {
if (be32_to_cpu(vh->vol_id) != UBI_FM_SB_VOLUME_ID) {
--
2.50.0
More information about the U-Boot
mailing list