From patchwork Tue Jul 12 18:28:23 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ladislav Michl <ladis@linux-mips.org>
X-Patchwork-Id: 647549
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from theia.denx.de (theia.denx.de [85.214.87.163])
	by ozlabs.org (Postfix) with ESMTP id 3rprC81Nnqz9s8d
	for <incoming@patchwork.ozlabs.org>;
	Wed, 13 Jul 2016 04:31:32 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 4F2DEA757A;
	Tue, 12 Jul 2016 20:30:33 +0200 (CEST)
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id UNfs62NfAXzd; Tue, 12 Jul 2016 20:30:33 +0200 (CEST)
Received: from theia.denx.de (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id 82BAAA7643;
	Tue, 12 Jul 2016 20:29:47 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by theia.denx.de (Postfix) with ESMTP id E3D4FA7620
	for <u-boot@lists.denx.de>; Tue, 12 Jul 2016 20:29:38 +0200 (CEST)
Received: from theia.denx.de ([127.0.0.1])
	by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id H8tcHVy3sViu for <u-boot@lists.denx.de>;
	Tue, 12 Jul 2016 20:29:38 +0200 (CEST)
X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5
	NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested)
Received: from cvs.linux-mips.org (eddie.linux-mips.org [148.251.95.138])
	by theia.denx.de (Postfix) with ESMTP id 573E7A75D1
	for <u-boot@lists.denx.de>; Tue, 12 Jul 2016 20:29:21 +0200 (CEST)
Received: (from localhost user: 'ladis' uid#1021 fake: STDIN
	(ladis@eddie.linux-mips.org)) by eddie.linux-mips.org
	id S23993587AbcGLS3VHaK3j for <u-boot@lists.denx.de>;
	Tue, 12 Jul 2016 20:29:21 +0200
From: Ladislav Michl <ladis@linux-mips.org>
To: u-boot@lists.denx.de
Date: Tue, 12 Jul 2016 20:28:23 +0200
Message-Id: <1468348114-11442-16-git-send-email-ladis@linux-mips.org>
X-Mailer: git-send-email 2.1.4
In-Reply-To: <1468348114-11442-1-git-send-email-ladis@linux-mips.org>
References: <1468348114-11442-1-git-send-email-ladis@linux-mips.org>
Cc: Tom Rini <trini@konsulko.com>, Richard Weinberger <richard@nod.at>,
	Scott Wood <scottwood@freescale.com>,
	Enric Balletbo i Serra <enric.balletbo@collabora.com>
Subject: [U-Boot] [PATCH v5 15/26] cmd: mtdparts: fix null pointer
	dereference in parse_mtdparts
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <http://lists.denx.de/mailman/options/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <http://lists.denx.de/mailman/listinfo/u-boot>,
	<mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

In case there is no mtdparts variable in relocated environment,
NULL is assigned to p, which is later fed to strncpy.
Also function parameter mtdparts is completely ignored, so use it
in case mtdparts variable is not found in environment. This
parameter is checked not to be NULL in caller.

Signed-off-by: Ladislav Michl <ladis@linux-mips.org>
---

Changes in v5: None
Changes in v4: None
Changes in v3: None
Changes in v2: None

 cmd/mtdparts.c | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c
index 3a88a10..995cb87 100644
--- a/cmd/mtdparts.c
+++ b/cmd/mtdparts.c
@@ -1524,7 +1524,7 @@ static int spread_partitions(void)
  */
 static int parse_mtdparts(const char *const mtdparts)
 {
-	const char *p = mtdparts;
+	const char *p;
 	struct mtd_device *dev;
 	int err = 1;
 	char tmp_parts[MTDPARTS_MAXLEN];
@@ -1538,20 +1538,25 @@ static int parse_mtdparts(const char *const mtdparts)
 	}
 
 	/* re-read 'mtdparts' variable, mtd_devices_init may be updating env */
-	if (gd->flags & GD_FLG_ENV_READY) {
+	if (gd->flags & GD_FLG_ENV_READY)
 		p = getenv("mtdparts");
-	} else {
-		p = tmp_parts;
-		getenv_f("mtdparts", tmp_parts, MTDPARTS_MAXLEN);
+	else {
+		if (getenv_f("mtdparts", tmp_parts, MTDPARTS_MAXLEN) != -1)
+			p = tmp_parts;
+		else
+			p = NULL;
 	}
 
+	if (!p)
+		p = mtdparts;
+
 	if (strncmp(p, "mtdparts=", 9) != 0) {
 		printf("mtdparts variable doesn't start with 'mtdparts='\n");
 		return err;
 	}
 	p += 9;
 
-	while (p && (*p != '\0')) {
+	while (*p != '\0') {
 		err = 1;
 		if ((device_parse(p, &p, &dev) != 0) || (!dev))
 			break;
@@ -1569,12 +1574,10 @@ static int parse_mtdparts(const char *const mtdparts)
 		list_add_tail(&dev->link, &devices);
 		err = 0;
 	}
-	if (err == 1) {
+	if (err == 1)
 		device_delall(&devices);
-		return 1;
-	}
 
-	return 0;
+	return err;
 }
 
 /**