[PATCH] xilinx: versal: Fix snprintf invalid size argument
Michal Simek
michal.simek at amd.com
Tue Jun 2 16:34:50 CEST 2026
On 6/1/26 15:02, Francois Berder wrote:
> buf is an array of size DFU_ALT_BUF_LEN bytes.
> It is gradually filled with data using snprintf but the
> size argument to snprintf is kept at DFU_ALT_BUF_LEN,
> making it possible to overflow the buffer.
> Fix this bug using the correct buffer size:
> DFU_ALT_BUF_LEN - len.
>
> Signed-off-by: Francois Berder <fberder at outlook.fr>
> ---
> board/xilinx/versal/board.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/board/xilinx/versal/board.c b/board/xilinx/versal/board.c
> index 9371c30ea27..978909840b9 100644
> --- a/board/xilinx/versal/board.c
> +++ b/board/xilinx/versal/board.c
> @@ -418,14 +418,14 @@ void configure_capsule_updates(void)
> case SD_MODE1:
> bootseq = mmc_get_env_dev();
>
> - len += snprintf(buf + len, DFU_ALT_BUF_LEN, "mmc %d=boot",
> + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "mmc %d=boot",
> bootseq);
>
> if (multiboot)
> - len += snprintf(buf + len, DFU_ALT_BUF_LEN,
> + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len,
> "%04d", multiboot);
>
> - len += snprintf(buf + len, DFU_ALT_BUF_LEN, ".bin fat %d 1",
> + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, ".bin fat %d 1",
> bootseq);
> break;
> case QSPI_MODE_24BIT:
> @@ -438,7 +438,7 @@ void configure_capsule_updates(void)
>
> mtd_found_part(&base, &limit);
>
> - len += snprintf(buf + len, DFU_ALT_BUF_LEN,
> + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len,
> "sf 0:0=boot.bin raw 0x%x 0x%x",
> base, limit);
> }
Please look at my reply in your second patch and please use scnprintf instead.
Thanks,
Michal
More information about the U-Boot
mailing list