Message ID | 20210730122354.6281-1-matthias.schiffer@ew.tq-group.com |
---|---|
State | Accepted |
Commit | 5f9338ad56e6b1168905e73ecfcd5e1b7b1a32e2 |
Delegated to: | Tom Rini |
Headers | show |
Series | fastboot: fix partition name truncation in environment lookup | expand |
On 7/30/21 8:23 AM, Matthias Schiffer wrote: > strlcat() need to be passed the full buffer length. The incorrect call > caused truncation of partition names for fastboot_raw_partition_... and > fastboot_partition_alias_... env lookup to much less than PART_NAME_LEN. > > Fixes: 69a752983171 ("fastboot: Fix possible buffer overrun") > Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com> > --- > drivers/fastboot/fb_mmc.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/drivers/fastboot/fb_mmc.c b/drivers/fastboot/fb_mmc.c > index 2f3837e559..33fd6c21af 100644 > --- a/drivers/fastboot/fb_mmc.c > +++ b/drivers/fastboot/fb_mmc.c > @@ -40,7 +40,7 @@ static int raw_part_get_info_by_name(struct blk_desc *dev_desc, > > /* check for raw partition descriptor */ > strcpy(env_desc_name, "fastboot_raw_partition_"); > - strlcat(env_desc_name, name, PART_NAME_LEN); > + strlcat(env_desc_name, name, sizeof(env_desc_name)); > raw_part_desc = strdup(env_get(env_desc_name)); > if (raw_part_desc == NULL) > return -ENODEV; > @@ -114,7 +114,7 @@ static int part_get_info_by_name_or_alias(struct blk_desc **dev_desc, > > /* check for alias */ > strcpy(env_alias_name, "fastboot_partition_alias_"); > - strlcat(env_alias_name, name, PART_NAME_LEN); > + strlcat(env_alias_name, name, sizeof(env_alias_name)); > aliased_part_name = env_get(env_alias_name); > if (aliased_part_name != NULL) > ret = do_get_part_info(dev_desc, aliased_part_name, > Reviewed-by: Sean Anderson <seanga2@gmail.com>
On Fri, 2021-07-30 at 10:04 -0400, Sean Anderson wrote: > On 7/30/21 8:23 AM, Matthias Schiffer wrote: > > strlcat() need to be passed the full buffer length. The incorrect call > > caused truncation of partition names for fastboot_raw_partition_... and > > fastboot_partition_alias_... env lookup to much less than PART_NAME_LEN. > > > > Fixes: 69a752983171 ("fastboot: Fix possible buffer overrun") > > Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com> > > --- > > drivers/fastboot/fb_mmc.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/fastboot/fb_mmc.c b/drivers/fastboot/fb_mmc.c > > index 2f3837e559..33fd6c21af 100644 > > --- a/drivers/fastboot/fb_mmc.c > > +++ b/drivers/fastboot/fb_mmc.c > > @@ -40,7 +40,7 @@ static int raw_part_get_info_by_name(struct blk_desc *dev_desc, > > > > /* check for raw partition descriptor */ > > strcpy(env_desc_name, "fastboot_raw_partition_"); > > - strlcat(env_desc_name, name, PART_NAME_LEN); > > + strlcat(env_desc_name, name, sizeof(env_desc_name)); > > raw_part_desc = strdup(env_get(env_desc_name)); > > if (raw_part_desc == NULL) > > return -ENODEV; > > @@ -114,7 +114,7 @@ static int part_get_info_by_name_or_alias(struct blk_desc **dev_desc, > > > > /* check for alias */ > > strcpy(env_alias_name, "fastboot_partition_alias_"); > > - strlcat(env_alias_name, name, PART_NAME_LEN); > > + strlcat(env_alias_name, name, sizeof(env_alias_name)); > > aliased_part_name = env_get(env_alias_name); > > if (aliased_part_name != NULL) > > ret = do_get_part_info(dev_desc, aliased_part_name, > > > > Reviewed-by: Sean Anderson <seanga2@gmail.com> Hi, what's the status here? It would be great to have this bugfix in the next release. Regards, Matthias
On Fri, Jul 30, 2021 at 02:23:54PM +0200, Matthias Schiffer wrote: > strlcat() need to be passed the full buffer length. The incorrect call > caused truncation of partition names for fastboot_raw_partition_... and > fastboot_partition_alias_... env lookup to much less than PART_NAME_LEN. > > Fixes: 69a752983171 ("fastboot: Fix possible buffer overrun") > Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com> > Reviewed-by: Sean Anderson <seanga2@gmail.com> Applied to u-boot/master, thanks!
diff --git a/drivers/fastboot/fb_mmc.c b/drivers/fastboot/fb_mmc.c index 2f3837e559..33fd6c21af 100644 --- a/drivers/fastboot/fb_mmc.c +++ b/drivers/fastboot/fb_mmc.c @@ -40,7 +40,7 @@ static int raw_part_get_info_by_name(struct blk_desc *dev_desc, /* check for raw partition descriptor */ strcpy(env_desc_name, "fastboot_raw_partition_"); - strlcat(env_desc_name, name, PART_NAME_LEN); + strlcat(env_desc_name, name, sizeof(env_desc_name)); raw_part_desc = strdup(env_get(env_desc_name)); if (raw_part_desc == NULL) return -ENODEV; @@ -114,7 +114,7 @@ static int part_get_info_by_name_or_alias(struct blk_desc **dev_desc, /* check for alias */ strcpy(env_alias_name, "fastboot_partition_alias_"); - strlcat(env_alias_name, name, PART_NAME_LEN); + strlcat(env_alias_name, name, sizeof(env_alias_name)); aliased_part_name = env_get(env_alias_name); if (aliased_part_name != NULL) ret = do_get_part_info(dev_desc, aliased_part_name,
strlcat() need to be passed the full buffer length. The incorrect call caused truncation of partition names for fastboot_raw_partition_... and fastboot_partition_alias_... env lookup to much less than PART_NAME_LEN. Fixes: 69a752983171 ("fastboot: Fix possible buffer overrun") Signed-off-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com> --- drivers/fastboot/fb_mmc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)