[PATCH] xilinx: zynqmp: Fix snprintf invalid size argument

Mon Jun 1 15:05:48 CEST 2026

buf is an array of size DFU_ALT_BUF_LEN bytes.
It is gradually filled with data using snprintf but the
size argument to snprintf is kept at DFU_ALT_BUF_LEN,
making it possible to overflow the buffer.
Fix this bug using the correct buffer size:
DFU_ALT_BUF_LEN - len.

Signed-off-by: Francois Berder <fberder at outlook.fr>
---
 board/xilinx/zynqmp/zynqmp.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/board/xilinx/zynqmp/zynqmp.c b/board/xilinx/zynqmp/zynqmp.c
index a1d8ae26673..272e92d8465 100644
--- a/board/xilinx/zynqmp/zynqmp.c
+++ b/board/xilinx/zynqmp/zynqmp.c
@@ -706,18 +706,18 @@ void configure_capsule_updates(void)
 	case SD_MODE1:
 		bootseq = mmc_get_env_dev();
 
-		len += snprintf(buf + len, DFU_ALT_BUF_LEN, "mmc %d=boot",
+		len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "mmc %d=boot",
 			       bootseq);
 
 		if (multiboot)
-			len += snprintf(buf + len, DFU_ALT_BUF_LEN,
+			len += snprintf(buf + len, DFU_ALT_BUF_LEN - len,
 				       "%04d", multiboot);
 
-		len += snprintf(buf + len, DFU_ALT_BUF_LEN, ".bin fat %d 1",
+		len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, ".bin fat %d 1",
 			       bootseq);
 #if defined(CONFIG_SPL_FS_LOAD_PAYLOAD_NAME)
 		if (strlen(CONFIG_SPL_FS_LOAD_PAYLOAD_NAME))
-			len += snprintf(buf + len, DFU_ALT_BUF_LEN,
+			len += snprintf(buf + len, DFU_ALT_BUF_LEN - len,
 					";%s fat %d 1",
 					CONFIG_SPL_FS_LOAD_PAYLOAD_NAME,
 					bootseq);
@@ -737,12 +737,12 @@ void configure_capsule_updates(void)
 			limit = CONFIG_SYS_SPI_U_BOOT_OFFS;
 #endif
 
-			len += snprintf(buf + len, DFU_ALT_BUF_LEN,
+			len += snprintf(buf + len, DFU_ALT_BUF_LEN - len,
 					"sf 0:0=boot.bin raw 0x%x 0x%x",
 					base, limit);
 #if defined(CONFIG_SPL_FS_LOAD_PAYLOAD_NAME) && defined(CONFIG_SYS_SPI_U_BOOT_OFFS)
 			if (strlen(CONFIG_SPL_FS_LOAD_PAYLOAD_NAME))
-				len += snprintf(buf + len, DFU_ALT_BUF_LEN,
+				len += snprintf(buf + len, DFU_ALT_BUF_LEN - len,
 						";%s raw 0x%x 0x%x",
 						CONFIG_SPL_FS_LOAD_PAYLOAD_NAME,
 						base + limit, size - limit);
-- 
2.43.0

