summaryrefslogtreecommitdiff
path: root/fs
diff options
context:
space:
mode:
authorStefano Babic <sbabic@denx.de>2010-10-20 08:51:45 +0200
committerWolfgang Denk <wd@denx.de>2010-10-20 09:14:38 +0200
commit11c8dd36edcc82564a19dbd0103302df66d66db0 (patch)
treeb2e6607a5d313a9185d8c1f961b4a9f50a1c6a38 /fs
parent70994c79caec0b0304aa87d9695c79f1862ea340 (diff)
downloadu-boot-imx-11c8dd36edcc82564a19dbd0103302df66d66db0.zip
u-boot-imx-11c8dd36edcc82564a19dbd0103302df66d66db0.tar.gz
u-boot-imx-11c8dd36edcc82564a19dbd0103302df66d66db0.tar.bz2
FAT: buffer overflow with FAT12/16
Last commit 3831530dcb7b71329c272ccd6181f8038b6a6dd0a was intended "explicitly specify FAT12/16 root directory parsing buffer size, instead of relying on cluster size". Howver, the underlying function requires the size of the buffer in blocks, not in bytes, and instead of passing a double sector size a request for 1024 blocks is sent. This generates a buffer overflow with overwriting of other structure (in the case seen, USB structures were overwritten). Signed-off-by: Stefano Babic <sbabic@denx.de> CC: Mikhail Zolotaryov <lebon@lebon.org.ua>
Diffstat (limited to 'fs')
-rw-r--r--fs/fat/fat.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/fat/fat.c b/fs/fat/fat.c
index 744e961..a75e4f2 100644
--- a/fs/fat/fat.c
+++ b/fs/fat/fat.c
@@ -858,7 +858,7 @@ do_fat_read (const char *filename, void *buffer, unsigned long maxsize,
if (disk_read(cursect,
(mydata->fatsize == 32) ?
(mydata->clust_size) :
- LINEAR_PREFETCH_SIZE,
+ LINEAR_PREFETCH_SIZE / SECTOR_SIZE,
do_fat_read_block) < 0) {
debug("Error: reading rootdir block\n");
return -1;