From patchwork Wed Sep 19 00:03:00 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Troy Kisky <troy.kisky@boundarydevices.com>
X-Patchwork-Id: 184878
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from theia.denx.de (theia.denx.de [85.214.87.163])
	by ozlabs.org (Postfix) with ESMTP id E4E782C0095
	for <incoming@patchwork.ozlabs.org>;
	Wed, 19 Sep 2012 10:03:26 +1000 (EST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 204FD2817B;
	Wed, 19 Sep 2012 02:03:24 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at theia.denx.de
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id VjJMcFhVFF50; Wed, 19 Sep 2012 02:03:23 +0200 (CEST)
Received: from theia.denx.de (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 122EA2817E;
	Wed, 19 Sep 2012 02:03:10 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id E825828189
	for <u-boot@lists.denx.de>; Wed, 19 Sep 2012 02:03:04 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at theia.denx.de
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id DJ-xDvJmfJv2 for <u-boot@lists.denx.de>;
	Wed, 19 Sep 2012 02:03:04 +0200 (CEST)
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
	NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested)
Received: from mail-pb0-f44.google.com (mail-pb0-f44.google.com
	[209.85.160.44]) by theia.denx.de (Postfix) with ESMTPS id 5F6E428101
	for <u-boot@lists.denx.de>; Wed, 19 Sep 2012 02:03:01 +0200 (CEST)
Received: by pbbrr4 with SMTP id rr4so1124238pbb.3
	for <u-boot@lists.denx.de>; Tue, 18 Sep 2012 17:03:00 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references
	:x-gm-message-state;
	bh=/rZXUasT8QgwYu6NW+C22dMIJBSna6x8/56STQZ0qKo=;
	b=m+mp9HJXgf+v+a9kud1LWVVomSAlYuS1RB2xsomeIJFqnRFP6dtOMfNLlmNzf2Jyd2
	U9CAr7WtrxpTllvg/UOLI9udxjragLVfZzm3iGXGpUlWm0jyUA9JjDnuW9kWIHgydpR4
	BdlC7pBIzEMDQEApjkJ6KInN+XP+6bUPEqnglI6Oas1PdtYE9r7IAtz8zVNVYLVUMk8z
	eM3Qefn16IXkb5WSohxHG4S2T5kXHy8eKu0RSDrNz86tdzp8dYuhCe0djFdFxJvi8FHA
	ygCHnKUr13mWsmAnu+ZuCermzAYUXj/B/cc21tqczD/X1r1Ek6BaZvitMx8vCdBPqL2L
	VIaQ==
Received: by 10.68.130.10 with SMTP id oa10mr2685063pbb.109.1348012980298;
	Tue, 18 Sep 2012 17:03:00 -0700 (PDT)
Received: from officeserver-2 ([70.96.116.236])
	by mx.google.com with ESMTPS id
	hc10sm772437pbc.21.2012.09.18.17.02.56
	(version=TLSv1/SSLv3 cipher=OTHER);
	Tue, 18 Sep 2012 17:02:57 -0700 (PDT)
Received: from tkisky by officeserver-2 with local (Exim 4.76)
	(envelope-from <troy.kisky@boundarydevices.com>)
	id 1TE7l4-00058W-La; Tue, 18 Sep 2012 17:03:14 -0700
From: Troy Kisky <troy.kisky@boundarydevices.com>
To: sbabic@denx.de
Date: Tue, 18 Sep 2012 17:03:00 -0700
Message-Id: <1348012989-19674-3-git-send-email-troy.kisky@boundarydevices.com>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: 
 <1348012989-19674-1-git-send-email-troy.kisky@boundarydevices.com>
References: <1348012989-19674-1-git-send-email-troy.kisky@boundarydevices.com>
X-Gm-Message-State: 
 ALoCoQk8n83xjhIino/Qo2F1pMj2NXz8hwwAJTPtvIiR0xYVl9FzjT2QC/hoa+D+4xti/TGoRHq7
Cc: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH 02/11] imximage: check dcd_len as entries added
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <http://lists.denx.de/mailman/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Sender: u-boot-bounces@lists.denx.de
Errors-To: u-boot-bounces@lists.denx.de

Before the len was checked after the entire file
was processed, so it could have already overflowed.

Signed-off-by: Troy Kisky <troy.kisky@boundarydevices.com>
---
 tools/imximage.c |   26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/tools/imximage.c b/tools/imximage.c
index 25d3b74..0bfbec3 100644
--- a/tools/imximage.c
+++ b/tools/imximage.c
@@ -71,6 +71,7 @@ static set_dcd_val_t set_dcd_val;
 static set_dcd_rst_t set_dcd_rst;
 static set_imx_hdr_t set_imx_hdr;
 static set_imx_size_t set_imx_size;
+static uint32_t max_dcd_entries;
 static uint32_t g_flash_offset;
 
 static struct image_type_params imximage_params;
@@ -173,13 +174,6 @@ static void set_dcd_rst_v1(struct imx_header *imxhdr, uint32_t dcd_len,
 {
 	dcd_v1_t *dcd_v1 = &imxhdr->header.hdr_v1.dcd_table;
 
-	if (dcd_len > MAX_HW_CFG_SIZE_V1) {
-		fprintf(stderr, "Error: %s[%d] -"
-			"DCD table exceeds maximum size(%d)\n",
-			name, lineno, MAX_HW_CFG_SIZE_V1);
-		exit(EXIT_FAILURE);
-	}
-
 	dcd_v1->preamble.barker = DCD_BARKER;
 	dcd_v1->preamble.length = dcd_len * sizeof(dcd_type_addr_data_t);
 }
@@ -193,13 +187,6 @@ static void set_dcd_rst_v2(struct imx_header *imxhdr, uint32_t dcd_len,
 {
 	dcd_v2_t *dcd_v2 = &imxhdr->header.hdr_v2.dcd_table;
 
-	if (dcd_len > MAX_HW_CFG_SIZE_V2) {
-		fprintf(stderr, "Error: %s[%d] -"
-			"DCD table exceeds maximum size(%d)\n",
-			name, lineno, MAX_HW_CFG_SIZE_V2);
-		exit(EXIT_FAILURE);
-	}
-
 	dcd_v2->header.tag = DCD_HEADER_TAG;
 	dcd_v2->header.length = cpu_to_be16(
 			dcd_len * sizeof(dcd_addr_data_t) + 8);
@@ -293,12 +280,14 @@ static void set_hdr_func(struct imx_header *imxhdr)
 		set_dcd_rst = set_dcd_rst_v1;
 		set_imx_hdr = set_imx_hdr_v1;
 		set_imx_size = set_imx_size_v1;
+		max_dcd_entries = MAX_HW_CFG_SIZE_V1;
 		break;
 	case IMXIMAGE_V2:
 		set_dcd_val = set_dcd_val_v2;
 		set_dcd_rst = set_dcd_rst_v2;
 		set_imx_hdr = set_imx_hdr_v2;
 		set_imx_size = set_imx_size_v2;
+		max_dcd_entries = MAX_HW_CFG_SIZE_V2;
 		break;
 	default:
 		err_imximage_version(imximage_version);
@@ -425,8 +414,15 @@ static void parse_cfg_fld(struct imx_header *imxhdr, int32_t *cmd,
 		value = get_cfg_value(token, name, lineno);
 		(*set_dcd_val)(imxhdr, name, lineno, fld, value, *dcd_len);
 
-		if (fld == CFG_REG_VALUE)
+		if (fld == CFG_REG_VALUE) {
 			(*dcd_len)++;
+			if (*dcd_len > max_dcd_entries) {
+				fprintf(stderr, "Error: %s[%d] -"
+					"DCD table exceeds maximum size(%d)\n",
+					name, lineno, max_dcd_entries);
+				exit(EXIT_FAILURE);
+			}
+		}
 		break;
 	default:
 		break;