diff options
author | Doug Anderson <dianders@chromium.org> | 2012-01-17 09:37:41 +0000 |
---|---|---|
committer | Tom Rini <trini@ti.com> | 2013-05-17 14:43:29 -0400 |
commit | a558ad71132fa6061ff950b9d3a12b0dad01b129 (patch) | |
tree | ba00c0c1b29245d1e3435259a839b1fbe58e1261 /common | |
parent | 8ac28563a059bea49c23bfc4ae88f749ad2b47d3 (diff) | |
download | u-boot-imx-a558ad71132fa6061ff950b9d3a12b0dad01b129.zip u-boot-imx-a558ad71132fa6061ff950b9d3a12b0dad01b129.tar.gz u-boot-imx-a558ad71132fa6061ff950b9d3a12b0dad01b129.tar.bz2 |
bootm: Avoid 256-byte overflow in fixup_silent_linux()
This makes fixup_silent_linux() use malloc() to allocate its
working space, meaning that our maximum kernel command line
should only be limited by malloc(). Previously it was silently
overflowing the stack.
Note that nothing about this change increases the kernel's maximum
command line length. If you have a command line that is >256
bytes it's up to you to make sure that kernel can handle it.
Signed-off-by: Doug Anderson <dianders@chromium.org>
Acked-by: Mike Frysinger <vapier@gentoo.org>
Diffstat (limited to 'common')
-rw-r--r-- | common/cmd_bootm.c | 41 |
1 files changed, 29 insertions, 12 deletions
diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c index dd6cafa..15f4599 100644 --- a/common/cmd_bootm.c +++ b/common/cmd_bootm.c @@ -1423,9 +1423,14 @@ U_BOOT_CMD( /* helper routines */ /*******************************************************************/ #if defined(CONFIG_SILENT_CONSOLE) && !defined(CONFIG_SILENT_U_BOOT_ONLY) + +#define CONSOLE_ARG "console=" +#define CONSOLE_ARG_LEN (sizeof(CONSOLE_ARG) - 1) + static void fixup_silent_linux(void) { - char buf[256], *start, *end; + char *buf; + const char *env_val; char *cmdline = getenv("bootargs"); /* Only fix cmdline when requested */ @@ -1433,25 +1438,37 @@ static void fixup_silent_linux(void) return; debug("before silent fix-up: %s\n", cmdline); - if (cmdline) { - start = strstr(cmdline, "console="); + if (cmdline && (cmdline[0] != '\0')) { + char *start = strstr(cmdline, CONSOLE_ARG); + + /* Allocate space for maximum possible new command line */ + buf = malloc(strlen(cmdline) + 1 + CONSOLE_ARG_LEN + 1); + if (!buf) { + debug("%s: out of memory\n", __func__); + return; + } + if (start) { - end = strchr(start, ' '); - strncpy(buf, cmdline, (start - cmdline + 8)); + char *end = strchr(start, ' '); + int num_start_bytes = start - cmdline + CONSOLE_ARG_LEN; + + strncpy(buf, cmdline, num_start_bytes); if (end) - strcpy(buf + (start - cmdline + 8), end); + strcpy(buf + num_start_bytes, end); else - buf[start - cmdline + 8] = '\0'; + buf[num_start_bytes] = '\0'; } else { - strcpy(buf, cmdline); - strcat(buf, " console="); + sprintf(buf, "%s %s", cmdline, CONSOLE_ARG); } + env_val = buf; } else { - strcpy(buf, "console="); + buf = NULL; + env_val = CONSOLE_ARG; } - setenv("bootargs", buf); - debug("after silent fix-up: %s\n", buf); + setenv("bootargs", env_val); + debug("after silent fix-up: %s\n", env_val); + free(buf); } #endif /* CONFIG_SILENT_CONSOLE */ |