From mboxrd@z Thu Jan  1 00:00:00 1970
From: Fredrik Roubert <roubert@df.lth.se>
Date: Mon, 9 Oct 2006 12:26:05 +0200
Subject: [U-Boot-Users] Buffer overflow in print_data() in ft_build.c
Message-ID: <20061009102605.GA4171@igloo.df.lth.se>
List-Id: <u-boot.lists.denx.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: u-boot@lists.denx.de

Hi!

In print_data() in ft_build.c, printf() is used to print strings of
arbitrary length from the device tree, which will cause a buffer
overflow that crashes U-Boot if any of these strings is longer than
CFG_PBSIZE.

(I encountered this while debugging my flat device tree while having a
very long kernel parameter line.)

The attached patch changes print_data() to use puts() instead, which
doesn't have the buffer overflow problem.

Cheers // Fredrik Roubert

-- 
Visserij 192  |  +32 473 344527 / +46 708 776974
BE-9000 Gent  |  http://www.df.lth.se/~roubert/
-------------- next part --------------
diff -ur u-boot-2006-06-30-2020.orig/common/ft_build.c u-boot-2006-06-30-2020/common/ft_build.c
--- u-boot-2006-06-30-2020.orig/common/ft_build.c	2006-06-30 20:16:37.000000000 +0200
+++ u-boot-2006-06-30-2020/common/ft_build.c	2006-10-09 12:12:56.000000000 +0200
@@ -293,7 +293,9 @@
 		return;
 
 	if (is_printable_string(data, len)) {
-		printf(" = \"%s\"", (char *)data);
+		puts(" = \"");
+		puts(data);
+		puts("\"");
 		return;
 	}
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 303 bytes
Desc: not available
Url : http://lists.denx.de/pipermail/u-boot/attachments/20061009/2368dc96/attachment.pgp