From patchwork Sun Jun 5 17:40:31 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ladislav Michl X-Patchwork-Id: 630452 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 3rN4qY52bHz9t5Q for ; Mon, 6 Jun 2016 03:40:41 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 5DB4A4B7EB; Sun, 5 Jun 2016 19:40:40 +0200 (CEST) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O5rd5njSo-pL; Sun, 5 Jun 2016 19:40:40 +0200 (CEST) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id CE1A24B68A; Sun, 5 Jun 2016 19:40:39 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 500B34B68A for ; Sun, 5 Jun 2016 19:40:37 +0200 (CEST) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6OSHPK5Etwmb for ; Sun, 5 Jun 2016 19:40:37 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from cvs.linux-mips.org (eddie.linux-mips.org [148.251.95.138]) by theia.denx.de (Postfix) with ESMTP id 146D24B62B for ; Sun, 5 Jun 2016 19:40:32 +0200 (CEST) Received: (from localhost user: 'ladis' uid#1021 fake: STDIN (ladis@eddie.linux-mips.org)) by eddie.linux-mips.org id S27042406AbcFERkchz93P (ORCPT ); Sun, 5 Jun 2016 19:40:32 +0200 Date: Sun, 5 Jun 2016 19:40:31 +0200 From: Ladislav Michl To: u-boot@lists.denx.de Message-ID: <20160605174031.GB26814@localhost.localdomain> References: <20160605173453.GA26656@localhost.localdomain> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20160605173453.GA26656@localhost.localdomain> User-Agent: Mutt/1.5.23 (2014-03-12) Cc: Tom Rini , Stefan Roese , Harald Welte , Scott Wood Subject: [U-Boot] [PATCH 2/6] cmd: mtdparts: fix null pointer dereference in parse_mtdparts X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.15 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" In case there is no mtdparts variable in relocated environment, NULL is assigned to p, which is later fed to strncpy. Also function parameter mtdparts is completely ignored, so use it in case mtdparts variable is not found in environment. This parameter is checked not to be NULL in caller. Signed-off-by: Ladislav Michl --- cmd/mtdparts.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c index 3a88a10..995cb87 100644 --- a/cmd/mtdparts.c +++ b/cmd/mtdparts.c @@ -1524,7 +1524,7 @@ static int spread_partitions(void) */ static int parse_mtdparts(const char *const mtdparts) { - const char *p = mtdparts; + const char *p; struct mtd_device *dev; int err = 1; char tmp_parts[MTDPARTS_MAXLEN]; @@ -1538,20 +1538,25 @@ static int parse_mtdparts(const char *const mtdparts) } /* re-read 'mtdparts' variable, mtd_devices_init may be updating env */ - if (gd->flags & GD_FLG_ENV_READY) { + if (gd->flags & GD_FLG_ENV_READY) p = getenv("mtdparts"); - } else { - p = tmp_parts; - getenv_f("mtdparts", tmp_parts, MTDPARTS_MAXLEN); + else { + if (getenv_f("mtdparts", tmp_parts, MTDPARTS_MAXLEN) != -1) + p = tmp_parts; + else + p = NULL; } + if (!p) + p = mtdparts; + if (strncmp(p, "mtdparts=", 9) != 0) { printf("mtdparts variable doesn't start with 'mtdparts='\n"); return err; } p += 9; - while (p && (*p != '\0')) { + while (*p != '\0') { err = 1; if ((device_parse(p, &p, &dev) != 0) || (!dev)) break; @@ -1569,12 +1574,10 @@ static int parse_mtdparts(const char *const mtdparts) list_add_tail(&dev->link, &devices); err = 0; } - if (err == 1) { + if (err == 1) device_delall(&devices); - return 1; - } - return 0; + return err; } /**