[PATCH] xilinx: zynqmp: Fix snprintf invalid size argument
Michal Simek
michal.simek at amd.com
Tue Jun 2 16:34:18 CEST 2026
On 6/1/26 15:05, Francois Berder wrote:
> buf is an array of size DFU_ALT_BUF_LEN bytes.
> It is gradually filled with data using snprintf but the
> size argument to snprintf is kept at DFU_ALT_BUF_LEN,
> making it possible to overflow the buffer.
> Fix this bug using the correct buffer size:
> DFU_ALT_BUF_LEN - len.
>
> Signed-off-by: Francois Berder <fberder at outlook.fr>
> ---
> board/xilinx/zynqmp/zynqmp.c | 12 ++++++------
> 1 file changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/board/xilinx/zynqmp/zynqmp.c b/board/xilinx/zynqmp/zynqmp.c
> index a1d8ae26673..272e92d8465 100644
> --- a/board/xilinx/zynqmp/zynqmp.c
> +++ b/board/xilinx/zynqmp/zynqmp.c
> @@ -706,18 +706,18 @@ void configure_capsule_updates(void)
> case SD_MODE1:
> bootseq = mmc_get_env_dev();
>
> - len += snprintf(buf + len, DFU_ALT_BUF_LEN, "mmc %d=boot",
> + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "mmc %d=boot",
> bootseq);
There are two issues here.
1. line alignment - checkpatch should report it.
2. when you are on this one and run small example in u-boot
char buf[10];
len += snprintf(buf + len, 10, "1234567890ab");
printf("Len %d, %s\n", len, buf);
len += snprintf(buf + len, 10 - len, "cdefgh");
printf("Len %d, %s\n", len, buf);
you get.
Len 12, 123456789
Len 18, 123456789
It means when buffer is full you are writing even behind it which is also wrong.
but when you change it to
char buf[10];
len += scnprintf(buf + len, 10, "1234567890ab");
printf("Len %d, %s\n", len, buf);
len += scnprintf(buf + len, 10 - len, "cdefgh");
printf("Len %d, %s\n", len, buf);
you get
Len 9, 123456789
Len 9, 123456789
It means please use scnprintf instead.
Thanks,
Michal
More information about the U-Boot
mailing list