From patchwork Tue Jan 17 19:16:53 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Doug Anderson X-Patchwork-Id: 136517 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 51784B6EE8 for ; Wed, 18 Jan 2012 06:17:05 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 102AD282B6; Tue, 17 Jan 2012 20:17:04 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Un1VtPNIvVWG; Tue, 17 Jan 2012 20:17:03 +0100 (CET) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id A3958282C5; Tue, 17 Jan 2012 20:17:02 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 36326282C5 for ; Tue, 17 Jan 2012 20:17:01 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sIdhskqXMXET for ; Tue, 17 Jan 2012 20:17:00 +0100 (CET) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from mail-gx0-f202.google.com (mail-gx0-f202.google.com [209.85.161.202]) by theia.denx.de (Postfix) with ESMTPS id 5A26C282B6 for ; Tue, 17 Jan 2012 20:16:58 +0100 (CET) Received: by ggnv2 with SMTP id v2so234178ggn.3 for ; Tue, 17 Jan 2012 11:16:57 -0800 (PST) Received: by 10.236.77.37 with SMTP id c25mr4168998yhe.5.1326827817873; Tue, 17 Jan 2012 11:16:57 -0800 (PST) Received: by 10.236.77.37 with SMTP id c25mr4168974yhe.5.1326827817811; Tue, 17 Jan 2012 11:16:57 -0800 (PST) Received: from wpzn3.hot.corp.google.com (216-239-44-65.google.com [216.239.44.65]) by gmr-mx.google.com with ESMTPS id j11si15993402ane.2.2012.01.17.11.16.57 (version=TLSv1/SSLv3 cipher=AES128-SHA); Tue, 17 Jan 2012 11:16:57 -0800 (PST) Received: from peppermint.mtv.corp.google.com (peppermint.mtv.corp.google.com [172.22.73.61]) by wpzn3.hot.corp.google.com (Postfix) with ESMTP id AFE8A10004D; Tue, 17 Jan 2012 11:16:57 -0800 (PST) Received: by peppermint.mtv.corp.google.com (Postfix, from userid 121310) id 5249D19A066; Tue, 17 Jan 2012 11:16:57 -0800 (PST) From: Doug Anderson To: U-Boot Mailing List Date: Tue, 17 Jan 2012 11:16:53 -0800 Message-Id: <1326827813-17170-1-git-send-email-dianders@chromium.org> X-Mailer: git-send-email 1.7.7.3 In-Reply-To: <1326305992-27939-1-git-send-email-dianders@chromium.org> References: <1326305992-27939-1-git-send-email-dianders@chromium.org> Subject: [U-Boot] [PATCH v3] bootm: Avoid 256-byte overflow in fixup_silent_linux() X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.11 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de This makes fixup_silent_linux() use malloc() to allocate its working space, meaning that our maximum kernel command line should only be limited by malloc(). Previously it was silently overflowing the stack. Note that nothing about this change increases the kernel's maximum command line length. If you have a command line that is >256 bytes it's up to you to make sure that kernel can handle it. Signed-off-by: Doug Anderson --- Changes in v2: - Tried to trim down to just the minimum changes needed with no extra helper code. Changes in v3: - Took Mike Frysinger's suggestion of removing strdup() common/cmd_bootm.c | 41 +++++++++++++++++++++++++++++------------ 1 files changed, 29 insertions(+), 12 deletions(-) diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c index d5745b1..95ac2d9 100644 --- a/common/cmd_bootm.c +++ b/common/cmd_bootm.c @@ -1229,9 +1229,14 @@ U_BOOT_CMD( /* helper routines */ /*******************************************************************/ #ifdef CONFIG_SILENT_CONSOLE + +#define CONSOLE_ARG "console=" +#define CONSOLE_ARG_LEN (sizeof(CONSOLE_ARG) - 1) + static void fixup_silent_linux(void) { - char buf[256], *start, *end; + char *buf; + char *env_val; char *cmdline = getenv("bootargs"); /* Only fix cmdline when requested */ @@ -1239,25 +1244,37 @@ static void fixup_silent_linux(void) return; debug("before silent fix-up: %s\n", cmdline); - if (cmdline) { - start = strstr(cmdline, "console="); + if (cmdline && (cmdline[0] != '\0')) { + char *start = strstr(cmdline, CONSOLE_ARG); + + /* Allocate space for maximum possible new command line */ + buf = malloc(strlen(cmdline) + 1 + CONSOLE_ARG_LEN + 1); + if (!buf) { + debug("%s: out of memory\n", __func__); + return; + } + if (start) { - end = strchr(start, ' '); - strncpy(buf, cmdline, (start - cmdline + 8)); + char *end = strchr(start, ' '); + int num_start_bytes = start - cmdline + CONSOLE_ARG_LEN; + + strncpy(buf, cmdline, num_start_bytes); if (end) - strcpy(buf + (start - cmdline + 8), end); + strcpy(buf + num_start_bytes, end); else - buf[start - cmdline + 8] = '\0'; + buf[num_start_bytes] = '\0'; } else { - strcpy(buf, cmdline); - strcat(buf, " console="); + sprintf(buf, "%s %s", cmdline, CONSOLE_ARG); } + env_val = buf; } else { - strcpy(buf, "console="); + buf = NULL; + env_val = CONSOLE_ARG; } - setenv("bootargs", buf); - debug("after silent fix-up: %s\n", buf); + setenv("bootargs", env_val); + debug("after silent fix-up: %s\n", env_val); + free(buf); } #endif /* CONFIG_SILENT_CONSOLE */