* [U-Boot] Bug in netconsole?
@ 2012-11-14 9:59 Nick Thompson
2012-11-16 4:41 ` Joe Hershberger
0 siblings, 1 reply; 2+ messages in thread
From: Nick Thompson @ 2012-11-14 9:59 UTC (permalink / raw)
To: u-boot
I think there might be a bug in this commit:
http://git.denx.de/cgi-bin/gitweb.cgi?p=u-boot.git;a=commitdiff;h=2c8fe5120f8da013cbd789be2f10cce880972836
The commit makes "the netconsole buffer size configurable". It adds CONFIG_NETCONSOLE_BUFFER_SIZE and maintains the original 512 default value used to define the length of input_buffer[]. nc_input_packet uses sizeof this to read packet data into input_buffer[]. This appears fine.
The commit also adds to following in the output chain:
@@ -214,7 +218,7 @@ static void nc_puts(const char *s)
len = strlen(s);
while (len) {
- int send_len = min(len, 512);
+ int send_len = min(len, sizeof(input_buffer));
nc_send_packet(s, send_len);
len -= send_len;
s += send_len;
I can't see how this code relates to the sizeof input_buffer. The nc_puts data is written directly into NetTxPacket (plus header offsets) which is set to 1536 + alignment bytes long. If input_buffer is bigger than this, a buffer overflow will occur. Obviously the default value of 512 will not trigger the problem. The 512 magic number possibly ought to be derived from PKTSIZE_ALIGN (net.h), but I don't think sizeof(input_buffer) is appropriate here.
Regards,
Nick.
^ permalink raw reply [flat|nested] 2+ messages in thread
* [U-Boot] Bug in netconsole?
2012-11-14 9:59 [U-Boot] Bug in netconsole? Nick Thompson
@ 2012-11-16 4:41 ` Joe Hershberger
0 siblings, 0 replies; 2+ messages in thread
From: Joe Hershberger @ 2012-11-16 4:41 UTC (permalink / raw)
To: u-boot
Hi Nick,
On Wed, Nov 14, 2012 at 3:59 AM, Nick Thompson <nick.thompson@ge.com> wrote:
> I think there might be a bug in this commit:
>
> http://git.denx.de/cgi-bin/gitweb.cgi?p=u-boot.git;a=commitdiff;h=2c8fe5120f8da013cbd789be2f10cce880972836
>
> The commit makes "the netconsole buffer size configurable". It adds CONFIG_NETCONSOLE_BUFFER_SIZE and maintains the original 512 default value used to define the length of input_buffer[]. nc_input_packet uses sizeof this to read packet data into input_buffer[]. This appears fine.
>
> The commit also adds to following in the output chain:
>
> @@ -214,7 +218,7 @@ static void nc_puts(const char *s)
>
> len = strlen(s);
> while (len) {
> - int send_len = min(len, 512);
> + int send_len = min(len, sizeof(input_buffer));
> nc_send_packet(s, send_len);
> len -= send_len;
> s += send_len;
>
> I can't see how this code relates to the sizeof input_buffer. The nc_puts data is written directly into NetTxPacket (plus header offsets) which is set to 1536 + alignment bytes long. If input_buffer is bigger than this, a buffer overflow will occur. Obviously the default value of 512 will not trigger the problem. The 512 magic number possibly ought to be derived from PKTSIZE_ALIGN (net.h), but I don't think sizeof(input_buffer) is appropriate here.
I agree with your assessment based on this email (though I haven't dug
into the code yet to fix it). Thanks for the report.
-Joe
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2012-11-16 4:41 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-11-14 9:59 [U-Boot] Bug in netconsole? Nick Thompson
2012-11-16 4:41 ` Joe Hershberger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox