From patchwork Wed Jan 11 18:19:52 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Doug Anderson X-Patchwork-Id: 135460 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 60A95B6EEC for ; Thu, 12 Jan 2012 05:20:24 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id C225D28616; Wed, 11 Jan 2012 19:20:21 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m1howzTXZYXx; Wed, 11 Jan 2012 19:20:21 +0100 (CET) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id ABAEB2854E; Wed, 11 Jan 2012 19:20:19 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 53A622854E for ; Wed, 11 Jan 2012 19:20:16 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 53rPrsrt8qva for ; Wed, 11 Jan 2012 19:20:15 +0100 (CET) X-Greylist: delayed 71619 seconds by postgrey-1.27 at theia; Wed, 11 Jan 2012 19:20:13 CET X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from mail-ey0-f202.google.com (mail-ey0-f202.google.com [209.85.215.202]) by theia.denx.de (Postfix) with ESMTPS id 764062850C for ; Wed, 11 Jan 2012 19:20:13 +0100 (CET) Received: by eaad12 with SMTP id d12so28358eaa.3 for ; Wed, 11 Jan 2012 10:20:12 -0800 (PST) Received: by 10.213.15.199 with SMTP id l7mr437480eba.4.1326306012103; Wed, 11 Jan 2012 10:20:12 -0800 (PST) Received: by 10.213.15.199 with SMTP id l7mr437460eba.4.1326306011783; Wed, 11 Jan 2012 10:20:11 -0800 (PST) Received: from hpza9.eem.corp.google.com ([74.125.121.33]) by gmr-mx.google.com with ESMTPS id m16si1600045eei.3.2012.01.11.10.20.11 (version=TLSv1/SSLv3 cipher=AES128-SHA); Wed, 11 Jan 2012 10:20:11 -0800 (PST) Received: from peppermint.mtv.corp.google.com (peppermint.mtv.corp.google.com [172.22.73.61]) by hpza9.eem.corp.google.com (Postfix) with ESMTP id 943A65C0050; Wed, 11 Jan 2012 10:20:11 -0800 (PST) Received: by peppermint.mtv.corp.google.com (Postfix, from userid 121310) id D391419AA25; Wed, 11 Jan 2012 10:20:10 -0800 (PST) From: Doug Anderson To: U-Boot Mailing List Date: Wed, 11 Jan 2012 10:19:52 -0800 Message-Id: <1326305992-27939-1-git-send-email-dianders@chromium.org> X-Mailer: git-send-email 1.7.3.1 In-Reply-To: <1319063459-4804-4-git-send-email-dianders@chromium.org> References: <1319063459-4804-4-git-send-email-dianders@chromium.org> Cc: U-Boot Mailing List Subject: [U-Boot] [PATCH v2] bootm: Avoid 256-byte overflow in fixup_silent_linux() X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.11 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de This makes fixup_silent_linux() use malloc() to allocate its working space, meaning that our maximum kernel command line should only be limited by malloc(). Previously it was silently overflowing the stack. Note that nothing about this change increases the kernel's maximum command line length. If you have a command line that is >256 bytes it's up to you to make sure that kernel can handle it. Signed-off-by: Doug Anderson --- Changes in v2: - Tried to trim down to just the minimum changes needed with no extra helper code. common/cmd_bootm.c | 38 ++++++++++++++++++++++++++++---------- 1 files changed, 28 insertions(+), 10 deletions(-) diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c index d5745b1..9a0c08d 100644 --- a/common/cmd_bootm.c +++ b/common/cmd_bootm.c @@ -1229,9 +1229,13 @@ U_BOOT_CMD( /* helper routines */ /*******************************************************************/ #ifdef CONFIG_SILENT_CONSOLE + +#define CONSOLE_ARG "console=" +#define CONSOLE_ARG_LEN (sizeof(CONSOLE_ARG) - 1) + static void fixup_silent_linux(void) { - char buf[256], *start, *end; + char *buf; char *cmdline = getenv("bootargs"); /* Only fix cmdline when requested */ @@ -1239,25 +1243,39 @@ static void fixup_silent_linux(void) return; debug("before silent fix-up: %s\n", cmdline); - if (cmdline) { - start = strstr(cmdline, "console="); + if (cmdline && (cmdline[0] != '\0')) { + char *start = strstr(cmdline, CONSOLE_ARG); + + /* Allocate space for maximum possible new command line */ + buf = malloc(strlen(cmdline) + 1 + CONSOLE_ARG_LEN + 1); + if (!buf) { + debug("%s: out of memory\n", __func__); + return; + } + if (start) { - end = strchr(start, ' '); - strncpy(buf, cmdline, (start - cmdline + 8)); + char *end = strchr(start, ' '); + int num_start_bytes = start - cmdline + CONSOLE_ARG_LEN; + + strncpy(buf, cmdline, num_start_bytes); if (end) - strcpy(buf + (start - cmdline + 8), end); + strcpy(buf + num_start_bytes, end); else - buf[start - cmdline + 8] = '\0'; + buf[num_start_bytes] = '\0'; } else { - strcpy(buf, cmdline); - strcat(buf, " console="); + sprintf(buf, "%s %s", cmdline, CONSOLE_ARG); } } else { - strcpy(buf, "console="); + buf = strdup(CONSOLE_ARG); + if (!buf) { + debug("%s: strdup failed\n", __func__); + return; + } } setenv("bootargs", buf); debug("after silent fix-up: %s\n", buf); + free(buf); } #endif /* CONFIG_SILENT_CONSOLE */