From: Ladislav Michl <ladis@linux-mips.org>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 5/6] cmd: mtdparts: fix null pointer dereference in parse_mtdparts
Date: Mon, 20 Jun 2016 09:51:10 +0200 [thread overview]
Message-ID: <20160620075110.GE1538@localhost.localdomain> (raw)
In-Reply-To: <20160620074707.GA1268@localhost.localdomain>
In case there is no mtdparts variable in relocated environment,
NULL is assigned to p, which is later fed to strncpy.
Also function parameter mtdparts is completely ignored, so use it
in case mtdparts variable is not found in environment. This
parameter is checked not to be NULL in caller.
Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
--
diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c
index 3a88a10..995cb87 100644
--- a/cmd/mtdparts.c
+++ b/cmd/mtdparts.c
@@ -1524,7 +1524,7 @@ static int spread_partitions(void)
*/
static int parse_mtdparts(const char *const mtdparts)
{
- const char *p = mtdparts;
+ const char *p;
struct mtd_device *dev;
int err = 1;
char tmp_parts[MTDPARTS_MAXLEN];
@@ -1538,20 +1538,25 @@ static int parse_mtdparts(const char *const mtdparts)
}
/* re-read 'mtdparts' variable, mtd_devices_init may be updating env */
- if (gd->flags & GD_FLG_ENV_READY) {
+ if (gd->flags & GD_FLG_ENV_READY)
p = getenv("mtdparts");
- } else {
- p = tmp_parts;
- getenv_f("mtdparts", tmp_parts, MTDPARTS_MAXLEN);
+ else {
+ if (getenv_f("mtdparts", tmp_parts, MTDPARTS_MAXLEN) != -1)
+ p = tmp_parts;
+ else
+ p = NULL;
}
+ if (!p)
+ p = mtdparts;
+
if (strncmp(p, "mtdparts=", 9) != 0) {
printf("mtdparts variable doesn't start with 'mtdparts='\n");
return err;
}
p += 9;
- while (p && (*p != '\0')) {
+ while (*p != '\0') {
err = 1;
if ((device_parse(p, &p, &dev) != 0) || (!dev))
break;
@@ -1569,12 +1574,10 @@ static int parse_mtdparts(const char *const mtdparts)
list_add_tail(&dev->link, &devices);
err = 0;
}
- if (err == 1) {
+ if (err == 1)
device_delall(&devices);
- return 1;
- }
- return 0;
+ return err;
}
/**
--
2.1.4
next prev parent reply other threads:[~2016-06-20 7:51 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-06-20 7:47 [U-Boot] [PATCH 0/6] mtd fixes for u-boot-2016.07-rc1 Ladislav Michl
2016-06-20 7:48 ` [U-Boot] [PATCH 1/6] armv7: add reset timeout to identify_nand_chip Ladislav Michl
2016-06-20 7:49 ` [U-Boot] [PATCH 2/6] mtd: OneNAND: add timeout to wait ready loops Ladislav Michl
2016-06-20 7:49 ` [U-Boot] [PATCH 3/6] mtd: OneNAND: initialize mtd->writebufsize to let UBI work Ladislav Michl
2016-06-20 7:50 ` [U-Boot] [PATCH 4/6] cmd: mtdparts: fix mtdparts variable presence confusion in mtdparts_init Ladislav Michl
2016-06-20 7:51 ` Ladislav Michl [this message]
2016-06-20 7:51 ` [U-Boot] [PATCH 6/6] cmd: mtdparts: consolidate mtdparts reading from env Ladislav Michl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160620075110.GE1538@localhost.localdomain \
--to=ladis@linux-mips.org \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox