[PATCH v2] boot: pxe_utils: Fix memory allocation issues in overlay_dir handling

Heinrich Schuchardt heinrich.schuchardt at canonical.com
Mon Nov 17 11:55:31 CET 2025 

On 11/13/25 10:33, Kory Maincent wrote:
> From: "Kory Maincent (TI.com)" <kory.maincent at bootlin.com>
> 
> Fix two memory allocation bugs in label_boot_extension():
> 
> 1. When label->fdtdir is not set, overlay_dir was used without any
>     memory allocation.
> 
> 2. When label->fdtdir is set, the allocation size was incorrect,
>     using 'len' (just the fdtdir length) instead of 'dir_len' (which
>     includes the trailing slash and null terminator).
> 
> Resolve both issues by moving the memory allocation and string
> formatting outside the conditional block, resulting in clearer code
> flow and correct sizing in all cases.
> 
> Closes: https://lists.denx.de/pipermail/u-boot/2025-November/602892.html
> Fixes: 935109cd9e97 ("boot: pxe_utils: Add extension board devicetree overlay support")
> Signed-off-by: Kory Maincent (TI.com) <kory.maincent at bootlin.com>

Please, add

    Addresses-Coverity-ID: 638558 Memory - illegal accesses (UNINIT)

so that we know that the Coverity issue is resolved.

> ---
> 
> Change in v2:
> - Extract calloc and snprintf of the if condition.
> ---
>   boot/pxe_utils.c | 16 ++++++++--------
>   1 file changed, 8 insertions(+), 8 deletions(-)
> 
> diff --git a/boot/pxe_utils.c b/boot/pxe_utils.c
> index 038416203fc..7549a93bdad 100644
> --- a/boot/pxe_utils.c
> +++ b/boot/pxe_utils.c
> @@ -473,18 +473,18 @@ static void label_boot_extension(struct pxe_context *ctx,
>   		else
>   			slash = "";
>   
> -		dir_len = strlen(label->fdtdir) + strlen(slash) + 1;
> -		overlay_dir = calloc(1, len);
> -		if (!overlay_dir)
> -			return;
> -
> -		snprintf(overlay_dir, dir_len, "%s%s", label->fdtdir,
> -			 slash);
> +		dir_len = len + strlen(slash) + 1;

This line could be moved after the else branch to simplify the code by 
avoiding separate assignments to dir_len.

Best regards

Heinrich

>   	} else {
>   		dir_len = 2;
> -		snprintf(overlay_dir, dir_len, "/");
> +		slash = "/";
>   	}
>   
> +	overlay_dir = calloc(1, dir_len);
> +	if (!overlay_dir)
> +		return;
> +
> +	snprintf(overlay_dir, dir_len, "%s%s", label->fdtdir ?: "", slash);
> +
>   	alist_for_each(extension, extension_list) {
>   		char *overlay_file;
>   		ulong size;

More information about the U-Boot mailing list