From patchwork Thu Oct  4 01:47:03 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Troy Kisky <troy.kisky@boundarydevices.com>
X-Patchwork-Id: 188983
X-Patchwork-Delegate: sbabic@denx.de
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from theia.denx.de (theia.denx.de [85.214.87.163])
	by ozlabs.org (Postfix) with ESMTP id E4D4F2C0327
	for <incoming@patchwork.ozlabs.org>;
	Thu,  4 Oct 2012 11:48:29 +1000 (EST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 6596728229;
	Thu,  4 Oct 2012 03:48:25 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at theia.denx.de
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id KsQkJlJ4ff2W; Thu,  4 Oct 2012 03:48:25 +0200 (CEST)
Received: from theia.denx.de (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id B089428225;
	Thu,  4 Oct 2012 03:47:47 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id D88BC2821D
	for <u-boot@lists.denx.de>; Thu,  4 Oct 2012 03:47:38 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at theia.denx.de
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id M45JVvcAobaB for <u-boot@lists.denx.de>;
	Thu,  4 Oct 2012 03:47:38 +0200 (CEST)
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
	NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested)
Received: from mail-da0-f44.google.com (mail-da0-f44.google.com
	[209.85.210.44]) by theia.denx.de (Postfix) with ESMTPS id 5995C281DA
	for <u-boot@lists.denx.de>; Thu,  4 Oct 2012 03:47:35 +0200 (CEST)
Received: by danh15 with SMTP id h15so2684552dan.3
	for <u-boot@lists.denx.de>; Wed, 03 Oct 2012 18:47:34 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20120113;
	h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references
	:x-gm-message-state;
	bh=H7bYOfwjOfVJqR+gQO4y+udTdMutP07hbRCaL0RmShM=;
	b=ceac6bI2zXGqo3II9J9+VU9zcNYgrDwF1QQ5rGsa33i3+U3Oo2J5HEPo1OjZynTiJp
	m+H9KDmGvzKIDmfbtWvEKHboeY9fE3Lh219CB/UpiRKyJJwS3sulMsEwoWQBPjM5qeuY
	gwxlkTvuRzERUu0wMVg9vPVfskMPp1klW/nP7d0SJRRG/WXZY3o1eFG2EGVqBI1F7U9G
	u/bitWQJ6lveBQapwNjGhFCTc4IoJOjM+PY49wMhe1BMtw65fr37HZxHsQnamYwj2XY3
	kkO5+pWU5K02E5+uuzctpo3Vq1uJQXuJtWX/KvaxS95ZhwZY6gTfqfAhbxzFPzatuaPu
	GKKQ==
Received: by 10.66.82.101 with SMTP id h5mr9467939pay.15.1349315254261;
	Wed, 03 Oct 2012 18:47:34 -0700 (PDT)
Received: from officeserver-2 ([70.96.116.236])
	by mx.google.com with ESMTPS id
	te6sm3467820pbc.29.2012.10.03.18.47.31
	(version=TLSv1/SSLv3 cipher=OTHER);
	Wed, 03 Oct 2012 18:47:32 -0700 (PDT)
Received: from tkisky by officeserver-2 with local (Exim 4.76)
	(envelope-from <troy.kisky@boundarydevices.com>)
	id 1TJaXb-0005WH-Pj; Wed, 03 Oct 2012 18:47:55 -0700
From: Troy Kisky <troy.kisky@boundarydevices.com>
To: sbabic@denx.de
Date: Wed,  3 Oct 2012 18:47:03 -0700
Message-Id: <1349315254-21151-2-git-send-email-troy.kisky@boundarydevices.com>
X-Mailer: git-send-email 1.7.9.5
In-Reply-To: 
 <1349315254-21151-1-git-send-email-troy.kisky@boundarydevices.com>
References: <1348281558-19520-1-git-send-email-troy.kisky@boundarydevices.com>
	<1349315254-21151-1-git-send-email-troy.kisky@boundarydevices.com>
X-Gm-Message-State: 
 ALoCoQns7Q/KyYFm+7o5P/6oRyvQE61jF0zGSc8kEd63pwOhUXB1cPtT7YYsezqNH0Ah+7kMqm9a
Cc: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH V3 01/32] imximage: check dcd_len as entries added
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.11
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <http://lists.denx.de/mailman/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Sender: u-boot-bounces@lists.denx.de
Errors-To: u-boot-bounces@lists.denx.de

Before the len was checked after the entire file
was processed, so it could have already overflowed.

Signed-off-by: Troy Kisky <troy.kisky@boundarydevices.com>
---
v3 changed to the 1st patch of the series
---
 tools/imximage.c |   26 +++++++++++---------------
 1 file changed, 11 insertions(+), 15 deletions(-)

diff --git a/tools/imximage.c b/tools/imximage.c
index 03a7716..c917036 100644
--- a/tools/imximage.c
+++ b/tools/imximage.c
@@ -71,6 +71,7 @@ static uint32_t imximage_version;
 static set_dcd_val_t set_dcd_val;
 static set_dcd_rst_t set_dcd_rst;
 static set_imx_hdr_t set_imx_hdr;
+static uint32_t max_dcd_entries;
 
 static uint32_t get_cfg_value(char *token, char *name,  int linenr)
 {
@@ -170,13 +171,6 @@ static void set_dcd_rst_v1(struct imx_header *imxhdr, uint32_t dcd_len,
 {
 	dcd_v1_t *dcd_v1 = &imxhdr->header.hdr_v1.dcd_table;
 
-	if (dcd_len > MAX_HW_CFG_SIZE_V1) {
-		fprintf(stderr, "Error: %s[%d] -"
-			"DCD table exceeds maximum size(%d)\n",
-			name, lineno, MAX_HW_CFG_SIZE_V1);
-		exit(EXIT_FAILURE);
-	}
-
 	dcd_v1->preamble.barker = DCD_BARKER;
 	dcd_v1->preamble.length = dcd_len * sizeof(dcd_type_addr_data_t);
 }
@@ -190,13 +184,6 @@ static void set_dcd_rst_v2(struct imx_header *imxhdr, uint32_t dcd_len,
 {
 	dcd_v2_t *dcd_v2 = &imxhdr->header.hdr_v2.dcd_table;
 
-	if (dcd_len > MAX_HW_CFG_SIZE_V2) {
-		fprintf(stderr, "Error: %s[%d] -"
-			"DCD table exceeds maximum size(%d)\n",
-			name, lineno, MAX_HW_CFG_SIZE_V2);
-		exit(EXIT_FAILURE);
-	}
-
 	dcd_v2->header.tag = DCD_HEADER_TAG;
 	dcd_v2->header.length = cpu_to_be16(
 			dcd_len * sizeof(dcd_addr_data_t) + 8);
@@ -295,11 +282,13 @@ static void set_hdr_func(struct imx_header *imxhdr)
 		set_dcd_val = set_dcd_val_v1;
 		set_dcd_rst = set_dcd_rst_v1;
 		set_imx_hdr = set_imx_hdr_v1;
+		max_dcd_entries = MAX_HW_CFG_SIZE_V1;
 		break;
 	case IMXIMAGE_V2:
 		set_dcd_val = set_dcd_val_v2;
 		set_dcd_rst = set_dcd_rst_v2;
 		set_imx_hdr = set_imx_hdr_v2;
+		max_dcd_entries = MAX_HW_CFG_SIZE_V2;
 		break;
 	default:
 		err_imximage_version(imximage_version);
@@ -426,8 +415,15 @@ static void parse_cfg_fld(struct imx_header *imxhdr, int32_t *cmd,
 		value = get_cfg_value(token, name, lineno);
 		(*set_dcd_val)(imxhdr, name, lineno, fld, value, *dcd_len);
 
-		if (fld == CFG_REG_VALUE)
+		if (fld == CFG_REG_VALUE) {
 			(*dcd_len)++;
+			if (*dcd_len > max_dcd_entries) {
+				fprintf(stderr, "Error: %s[%d] -"
+					"DCD table exceeds maximum size(%d)\n",
+					name, lineno, max_dcd_entries);
+				exit(EXIT_FAILURE);
+			}
+		}
 		break;
 	default:
 		break;