diff mbox

[U-Boot,v5,15/26] cmd: mtdparts: fix null pointer dereference in parse_mtdparts

Message ID 1468348114-11442-16-git-send-email-ladis@linux-mips.org
State Accepted
Delegated to: Tom Rini
Headers show

Commit Message

Ladislav Michl July 12, 2016, 6:28 p.m. UTC 
In case there is no mtdparts variable in relocated environment,
NULL is assigned to p, which is later fed to strncpy.
Also function parameter mtdparts is completely ignored, so use it
in case mtdparts variable is not found in environment. This
parameter is checked not to be NULL in caller.

Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
---

Changes in v5: None
Changes in v4: None
Changes in v3: None
Changes in v2: None

 cmd/mtdparts.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

Comments

Tom Rini July 23, 2016, 12:11 a.m. UTC | #1 
On Tue, Jul 12, 2016 at 08:28:23PM +0200, Ladislav Michl wrote:

> In case there is no mtdparts variable in relocated environment,
> NULL is assigned to p, which is later fed to strncpy.
> Also function parameter mtdparts is completely ignored, so use it
> in case mtdparts variable is not found in environment. This
> parameter is checked not to be NULL in caller.
> 
> Signed-off-by: Ladislav Michl <ladis@linux-mips.org>

Applied to u-boot/master, thanks!
diff mbox

Patch

diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c
index 3a88a10..995cb87 100644
--- a/cmd/mtdparts.c
+++ b/cmd/mtdparts.c
@@ -1524,7 +1524,7 @@  static int spread_partitions(void)
  */
 static int parse_mtdparts(const char *const mtdparts)
 {
-	const char *p = mtdparts;
+	const char *p;
 	struct mtd_device *dev;
 	int err = 1;
 	char tmp_parts[MTDPARTS_MAXLEN];
@@ -1538,20 +1538,25 @@  static int parse_mtdparts(const char *const mtdparts)
 	}
 
 	/* re-read 'mtdparts' variable, mtd_devices_init may be updating env */
-	if (gd->flags & GD_FLG_ENV_READY) {
+	if (gd->flags & GD_FLG_ENV_READY)
 		p = getenv("mtdparts");
-	} else {
-		p = tmp_parts;
-		getenv_f("mtdparts", tmp_parts, MTDPARTS_MAXLEN);
+	else {
+		if (getenv_f("mtdparts", tmp_parts, MTDPARTS_MAXLEN) != -1)
+			p = tmp_parts;
+		else
+			p = NULL;
 	}
 
+	if (!p)
+		p = mtdparts;
+
 	if (strncmp(p, "mtdparts=", 9) != 0) {
 		printf("mtdparts variable doesn't start with 'mtdparts='\n");
 		return err;
 	}
 	p += 9;
 
-	while (p && (*p != '\0')) {
+	while (*p != '\0') {
 		err = 1;
 		if ((device_parse(p, &p, &dev) != 0) || (!dev))
 			break;
@@ -1569,12 +1574,10 @@  static int parse_mtdparts(const char *const mtdparts)
 		list_add_tail(&dev->link, &devices);
 		err = 0;
 	}
-	if (err == 1) {
+	if (err == 1)
 		device_delall(&devices);
-		return 1;
-	}
 
-	return 0;
+	return err;
 }
 
 /**