From patchwork Wed Feb 23 16:18:24 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kyle Moffett X-Patchwork-Id: 84199 X-Patchwork-Delegate: vanbaren@cideas.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 7FAB1B70F9 for ; Thu, 24 Feb 2011 03:18:44 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 3CFED2816B; Wed, 23 Feb 2011 17:18:42 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mRGb89PdPhf1; Wed, 23 Feb 2011 17:18:41 +0100 (CET) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 3C27D281B2; Wed, 23 Feb 2011 17:18:40 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id A8CE8281B2 for ; Wed, 23 Feb 2011 17:18:37 +0100 (CET) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x+33SkfgSFGg for ; Wed, 23 Feb 2011 17:18:36 +0100 (CET) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from border.exmeritus.com (wsip-70-167-241-26.dc.dc.cox.net [70.167.241.26]) by theia.denx.de (Postfix) with ESMTP id 06692281B1 for ; Wed, 23 Feb 2011 17:18:34 +0100 (CET) Received: from ysera.exmeritus.com (firewall2.exmeritus.com [10.13.38.2]) by border.exmeritus.com (Postfix) with ESMTP id 2A963AC06F; Wed, 23 Feb 2011 11:18:33 -0500 (EST) From: Kyle Moffett To: u-boot@lists.denx.de Date: Wed, 23 Feb 2011 11:18:24 -0500 Message-Id: <1298477904-21221-1-git-send-email-Kyle.D.Moffett@boeing.com> X-Mailer: git-send-email 1.7.2.3 Cc: Jerry Van Baren , John Livingston , Kyle Moffett Subject: [U-Boot] [PATCHv2] fdt_support: Fix buffer overflow in fdt_fixup_memory_banks X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.9 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de When fdt_fixup_memory_banks is called with 2-cell address and size fields in the device-tree (IE: 64-bit address and size), then it will overflow its on-stack "tmp" buffer. This fixes the buffer size and adds a comment explaining how many bytes need to be allocated per record. Signed-off-by: Kyle Moffett Cc: Jerry Van Baren Acked-by: Gerald Van Baren --- Changelog: v2: Resubmitted separately from the other HWW-1U-1A changes. common/fdt_support.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/common/fdt_support.c b/common/fdt_support.c index 6c98e5b..edcf04a 100644 --- a/common/fdt_support.c +++ b/common/fdt_support.c @@ -394,7 +394,7 @@ int fdt_fixup_memory_banks(void *blob, u64 start[], u64 size[], int banks) { int err, nodeoffset; int addr_cell_len, size_cell_len, len; - u8 tmp[banks * 8]; + u8 tmp[banks * 16]; /* Up to 64-bit address + 64-bit size */ int bank; err = fdt_check_header(blob);