From: "Pali Rohár" <pali@kernel.org>
To: "Simon Glass" <sjg@chromium.org>,
"Heinrich Schuchardt" <xypron.glpk@gmx.de>,
"Michal Simek" <michal.simek@xilinx.com>,
"Marek Behún" <marek.behun@nic.cz>
Cc: u-boot@lists.denx.de
Subject: [PATCH 1/7] xyz-modem: Fix crash after cancelling transfer
Date: Tue, 3 Aug 2021 16:28:38 +0200 [thread overview]
Message-ID: <20210803142844.19455-2-pali@kernel.org> (raw)
In-Reply-To: <20210803142844.19455-1-pali@kernel.org>
Variable xyz.len is set to -1 on error. At the end xyzModem_stream_read()
function calls memcpy() with length from variable xyz.len. If this variable
is set to -1 then value passed to memcpy is casted to unsigned value, which
means to copy whole address space. Which then cause U-Boot crash. E.g. on
arm64 it cause CPU crash: "Synchronous Abort" handler, esr 0x96000006
Fix this issue by checking that value stored in xyz.len is valid prior
trying to use it.
Signed-off-by: Pali Rohár <pali@kernel.org>
---
common/xyzModem.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/common/xyzModem.c b/common/xyzModem.c
index fc3459ebbafe..b1b72aae0baf 100644
--- a/common/xyzModem.c
+++ b/common/xyzModem.c
@@ -494,7 +494,7 @@ xyzModem_stream_read (char *buf, int size, int *err)
total = 0;
stat = xyzModem_cancel;
/* Try and get 'size' bytes into the buffer */
- while (!xyz.at_eof && (size > 0))
+ while (!xyz.at_eof && xyz.len >= 0 && (size > 0))
{
if (xyz.len == 0)
{
@@ -587,7 +587,7 @@ xyzModem_stream_read (char *buf, int size, int *err)
}
}
/* Don't "read" data from the EOF protocol package */
- if (!xyz.at_eof)
+ if (!xyz.at_eof && xyz.len > 0)
{
len = xyz.len;
if (size < len)
--
2.20.1
next prev parent reply other threads:[~2021-08-03 14:29 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-03 14:28 [PATCH 0/7] xyz-modem: Fix cancelling and closing transfers Pali Rohár
2021-08-03 14:28 ` Pali Rohár [this message]
2021-08-04 8:50 ` [PATCH 1/7] xyz-modem: Fix crash after cancelling transfer Heinrich Schuchardt
2021-09-03 21:29 ` Tom Rini
2021-08-03 14:28 ` [PATCH 2/7] xyz-modem: Fix x-modem "xyzModem_eof error" at the end of file Pali Rohár
2021-08-12 21:46 ` Simon Glass
2021-08-03 14:28 ` [PATCH 3/7] xyz-modem: Put xyzModem_stream_close debug diagnostic message into ZM_DEBUG() Pali Rohár
2021-08-04 9:30 ` Heinrich Schuchardt
2021-08-06 16:20 ` Pali Rohár
2021-08-03 14:28 ` [PATCH 4/7] xyz-modem: Close stream after processing/sending terminate sequence Pali Rohár
2021-08-04 8:59 ` Heinrich Schuchardt
2021-08-06 16:27 ` Pali Rohár
2021-08-03 14:28 ` [PATCH 5/7] xyz-modem: Properly abort/terminate transfer on error Pali Rohár
2021-08-12 21:46 ` Simon Glass
2021-08-12 21:48 ` Pali Rohár
2021-08-03 14:28 ` [PATCH 6/7] xyz-modem: Show information about finished transfer Pali Rohár
2021-08-04 9:15 ` Heinrich Schuchardt
2021-08-06 16:16 ` Pali Rohár
2021-08-03 14:28 ` [PATCH 7/7] xyz-modem: Allow to cancel transfer also by CTRL+C Pali Rohár
2021-08-12 21:46 ` Simon Glass
2021-08-27 8:40 ` [PATCH 0/7] xyz-modem: Fix cancelling and closing transfers Pali Rohár
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210803142844.19455-2-pali@kernel.org \
--to=pali@kernel.org \
--cc=marek.behun@nic.cz \
--cc=michal.simek@xilinx.com \
--cc=sjg@chromium.org \
--cc=u-boot@lists.denx.de \
--cc=xypron.glpk@gmx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox