From mboxrd@z Thu Jan 1 00:00:00 1970 From: Boris Brezillon Date: Mon, 19 Nov 2018 12:51:19 +0100 Subject: [U-Boot] [PATCH 7/9] mtd: Make sure the name passed in mtdparts fits in mtd_name[] In-Reply-To: <20181119115121.7699-1-boris.brezillon@bootlin.com> References: <20181119115121.7699-1-boris.brezillon@bootlin.com> Message-ID: <20181119115121.7699-7-boris.brezillon@bootlin.com> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de The local mtd_name[] variable is limited in size. Return an error if the name passed in mtdparts does not fit in this local var. Fixes: 5db66b3aee6f ("cmd: mtd: add 'mtd' command") Signed-off-by: Boris Brezillon --- Changes in v2: - New patch --- drivers/mtd/mtd_uboot.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/mtd_uboot.c b/drivers/mtd/mtd_uboot.c index d551aee20203..0eda36278309 100644 --- a/drivers/mtd/mtd_uboot.c +++ b/drivers/mtd/mtd_uboot.c @@ -222,8 +222,8 @@ int mtd_probe_devices(void) while (mtdparts[0] != '\0') { char mtd_name[MTD_NAME_MAX_LEN], *colon; struct mtd_partition *parts; - int mtd_name_len, nparts; - int ret; + unsigned int mtd_name_len; + int nparts, ret; colon = strchr(mtdparts, ':'); if (!colon) { @@ -231,7 +231,12 @@ int mtd_probe_devices(void) return -EINVAL; } - mtd_name_len = colon - mtdparts; + mtd_name_len = (unsigned int)(colon - mtdparts); + if (mtd_name_len + 1 > sizeof(mtd_name)) { + printf("MTD name too long: %s\n", mtdparts); + return -EINVAL; + } + strncpy(mtd_name, mtdparts, mtd_name_len); mtd_name[mtd_name_len] = '\0'; /* Move the pointer forward (including the ':') */ -- 2.17.1