From patchwork Thu Oct 20 17:54:58 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Doug Anderson X-Patchwork-Id: 120849 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id F1D6EB6FF5 for ; Fri, 21 Oct 2011 04:55:44 +1100 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 1364428F73; Thu, 20 Oct 2011 19:55:43 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PQAcaAR1NjPa; Thu, 20 Oct 2011 19:55:42 +0200 (CEST) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 3177428FBF; Thu, 20 Oct 2011 19:55:41 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 19DE728FBF for ; Thu, 20 Oct 2011 19:55:39 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at theia.denx.de Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N8-NvSRNE-9G for ; Thu, 20 Oct 2011 19:55:38 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.67]) by theia.denx.de (Postfix) with ESMTPS id 6146D28F73 for ; Thu, 20 Oct 2011 19:55:36 +0200 (CEST) Received: from wpaz37.hot.corp.google.com (wpaz37.hot.corp.google.com [172.24.198.101]) by smtp-out.google.com with ESMTP id p9KHtMCP000734; Thu, 20 Oct 2011 10:55:26 -0700 Received: from peppermint.mtv.corp.google.com (peppermint.mtv.corp.google.com [172.22.73.61]) by wpaz37.hot.corp.google.com with ESMTP id p9KHtEX1027653; Thu, 20 Oct 2011 10:55:14 -0700 Received: by peppermint.mtv.corp.google.com (Postfix, from userid 121310) id 0CD1919AA38; Thu, 20 Oct 2011 10:55:14 -0700 (PDT) From: Doug Anderson To: u-boot@lists.denx.de Date: Thu, 20 Oct 2011 10:54:58 -0700 Message-Id: <1319133298-30249-1-git-send-email-dianders@chromium.org> X-Mailer: git-send-email 1.7.3.1 In-Reply-To: <20111020144041.3ED5E14094B3@gemini.denx.de> References: <20111020144041.3ED5E14094B3@gemini.denx.de> X-System-Of-Record: true Cc: Anton Staaf Subject: [U-Boot] [PATCH v2] bootm: Avoid 256-byte overflow in fixup_silent_linux() X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.9 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de This makes fixup_silent_linux() use malloc() to allocate its working space, meaning that our maximum kernel command line should only be limited by malloc(). Previously it was silently overflowing the stack. Signed-off-by: Doug Anderson --- v2: This is a simpler version of patch 3/4 in my previous patchset that just uses malloc() without using the general command line munging funcs. We can separately continue to discuss about the general command func if desired. common/cmd_bootm.c | 44 ++++++++++++++++++++++++++++++++++---------- 1 files changed, 34 insertions(+), 10 deletions(-) diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c index ece1b9a..5bddea4 100644 --- a/common/cmd_bootm.c +++ b/common/cmd_bootm.c @@ -1200,9 +1200,13 @@ U_BOOT_CMD( /* helper routines */ /*******************************************************************/ #ifdef CONFIG_SILENT_CONSOLE + +#define CONSOLE_ARG "console=" +#define CONSOLE_ARG_LEN (sizeof(CONSOLE_ARG) - 1) + static void fixup_silent_linux(void) { - char buf[256], *start, *end; + char *buf; char *cmdline = getenv("bootargs"); /* Only fix cmdline when requested */ @@ -1210,25 +1214,45 @@ static void fixup_silent_linux(void) return; debug("before silent fix-up: %s\n", cmdline); - if (cmdline) { - start = strstr(cmdline, "console="); + if (cmdline && (cmdline[0] != '\0')) { + char *start = strstr(cmdline, "console="); if (start) { - end = strchr(start, ' '); - strncpy(buf, cmdline, (start - cmdline + 8)); + char *end = strchr(start, ' '); + int num_start_bytes = start - cmdline + CONSOLE_ARG_LEN; + + /* We know cmdline bytes will be more than enough. */ + buf = malloc(strlen(cmdline) + 1); + if (!buf) { + debug("WARNING: %s failed to alloc cmdline\n", + __func__); + return; + } + + strncpy(buf, cmdline, num_start_bytes); if (end) - strcpy(buf + (start - cmdline + 8), end); + strcpy(buf + num_start_bytes, end); else - buf[start - cmdline + 8] = '\0'; + buf[num_start_bytes] = '\0'; } else { - strcpy(buf, cmdline); - strcat(buf, " console="); + buf = malloc(strlen(cmdline) + 1 + CONSOLE_ARG_LEN + 1); + if (!buf) { + debug("WARNING: %s failed to alloc cmdline\n", + __func__); + return; + } + sprintf(buf, "%s %s", cmdline, CONSOLE_ARG); } } else { - strcpy(buf, "console="); + buf = strdup("console="); + if (!buf) { + debug("WARNING: strdup failed in fixup_silent_linux\n"); + return; + } } setenv("bootargs", buf); debug("after silent fix-up: %s\n", buf); + free(buf); } #endif /* CONFIG_SILENT_CONSOLE */