Patchwork mtd-utils: Check mtdoffset is not larger than mtd.size in case of a bad block.

login
register
mail settings
Submitter Tomer Barletz
Date June 26, 2012, 9:46 p.m.
Message ID <4FEA2DC1.9090003@gmail.com>
Download mbox | patch
Permalink /patch/167468/
State New
Headers show

Comments

Tomer Barletz - June 26, 2012, 9:46 p.m.
mtdoffset is being tested against mtd.size in the outer two loops, but 
the third nested one does not test against it.
In case of a bad block we'll try to access an out of bounds offset in 
the next MEMGETBADBLOCK ioctl, which will fail with EINVAL.
In case mtdoffset is indeed larger than the partition size, we need to 
bail, since there are not enough "good" blocks to complete the write.

Signed-off-by: Tomer Barletz <barletz@gmail.com>
---
  nandwrite.c |    5 +++++
  1 files changed, 5 insertions(+), 0 deletions(-)
Artem Bityutskiy - June 29, 2012, 8:32 a.m.
On Tue, 2012-06-26 at 14:46 -0700, Tomer Barletz wrote:
> mtdoffset is being tested against mtd.size in the outer two loops, but 
> the third nested one does not test against it.
> In case of a bad block we'll try to access an out of bounds offset in 
> the next MEMGETBADBLOCK ioctl, which will fail with EINVAL.
> In case mtdoffset is indeed larger than the partition size, we need to 
> bail, since there are not enough "good" blocks to complete the write.
> 
> Signed-off-by: Tomer Barletz <barletz@gmail.com>

Pushed to mtd-utils, thanks!

Patch

diff --git a/nandwrite.c b/nandwrite.c
index a42f7c9..8bd00c1 100644
--- a/nandwrite.c
+++ b/nandwrite.c
@@ -399,6 +399,11 @@  int main(int argc, char * const argv[])

  				if (baderaseblock) {
  					mtdoffset = blockstart + ebsize_aligned;
+
+					if (mtdoffset > mtd.size) {
+						perror("Too many bad blocks - cannot complete request.");
+						goto closeall;
+					}
  				}
  				offs +=  ebsize_aligned / blockalign;
  			} while (offs < blockstart + ebsize_aligned);