Commit 2c4fd433 authored by Simon Arlott's avatar Simon Arlott Committed by Brian Norris

mtd: bcm63xxpart: Null terminate and validate conversion of flash strings

Strings read from flash could be missing null termination characters, or
not contain valid integers.

Null terminate the strings and check for errors when converting them to
integers.

Also validate that the addresses are at least BCM963XX_EXTENDED_SIZE
because this will be subtracted from them.
Signed-off-by: default avatarSimon Arlott <simon@fire.lp0.eu>
Signed-off-by: default avatarBrian Norris <computersforpeace@gmail.com>
parent 7fffa694
...@@ -169,10 +169,39 @@ static int bcm63xx_parse_cfe_partitions(struct mtd_info *master, ...@@ -169,10 +169,39 @@ static int bcm63xx_parse_cfe_partitions(struct mtd_info *master,
/* Get the tag */ /* Get the tag */
ret = bcm63xx_read_image_tag(master, "rootfs", cfelen, buf); ret = bcm63xx_read_image_tag(master, "rootfs", cfelen, buf);
if (!ret) { if (!ret) {
sscanf(buf->flash_image_start, "%u", &rootfsaddr); STR_NULL_TERMINATE(buf->flash_image_start);
sscanf(buf->kernel_address, "%u", &kerneladdr); if (kstrtouint(buf->flash_image_start, 10, &rootfsaddr) ||
sscanf(buf->kernel_length, "%u", &kernellen); rootfsaddr < BCM963XX_EXTENDED_SIZE) {
sscanf(buf->total_length, "%u", &totallen); pr_err("invalid rootfs address: %*ph\n",
sizeof(buf->flash_image_start),
buf->flash_image_start);
goto invalid_tag;
}
STR_NULL_TERMINATE(buf->kernel_address);
if (kstrtouint(buf->kernel_address, 10, &kerneladdr) ||
kerneladdr < BCM963XX_EXTENDED_SIZE) {
pr_err("invalid kernel address: %*ph\n",
sizeof(buf->kernel_address),
buf->kernel_address);
goto invalid_tag;
}
STR_NULL_TERMINATE(buf->kernel_length);
if (kstrtouint(buf->kernel_length, 10, &kernellen)) {
pr_err("invalid kernel length: %*ph\n",
sizeof(buf->kernel_length),
buf->kernel_length);
goto invalid_tag;
}
STR_NULL_TERMINATE(buf->total_length);
if (kstrtouint(buf->total_length, 10, &totallen)) {
pr_err("invalid total length: %*ph\n",
sizeof(buf->total_length),
buf->total_length);
goto invalid_tag;
}
kerneladdr = kerneladdr - BCM963XX_EXTENDED_SIZE; kerneladdr = kerneladdr - BCM963XX_EXTENDED_SIZE;
rootfsaddr = rootfsaddr - BCM963XX_EXTENDED_SIZE; rootfsaddr = rootfsaddr - BCM963XX_EXTENDED_SIZE;
...@@ -188,6 +217,7 @@ static int bcm63xx_parse_cfe_partitions(struct mtd_info *master, ...@@ -188,6 +217,7 @@ static int bcm63xx_parse_cfe_partitions(struct mtd_info *master,
rootfslen = spareaddr - rootfsaddr; rootfslen = spareaddr - rootfsaddr;
} }
} else if (ret > 0) { } else if (ret > 0) {
invalid_tag:
kernellen = 0; kernellen = 0;
rootfslen = 0; rootfslen = 0;
rootfsaddr = 0; rootfsaddr = 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment