diff options
author | Brandon Maier <brandon.maier@collins.com> | 2022-11-02 17:47:55 -0500 |
---|---|---|
committer | David Oberhollenzer <david.oberhollenzer@sigma-star.at> | 2022-11-07 08:24:42 +0100 |
commit | 92d826ac57e753da120a82cded354931b3fe8e76 (patch) | |
tree | 200a63e08ed29dc633e0f06247801955ebcdd0b2 | |
parent | 345c5bde41fc1238a3f3b9b1a52e30ec7ab99b6e (diff) |
misc-utils: flashcp: fix buffer overflow
The DIFF_BLOCKS code requires that src and dest buffers be large enough
to hold one MTD erasesize. This is because each loop operates on one
eraseblock so that it can erase and write one whole sector. But the src
and dest buffers are fixed at BUFSIZE, so on platforms where the MTD
erasesize are larger then BUFSIZE it will overflow the buffers.
Instead allocate the buffers dynamically so that they can be sized to
fit the erasesize.
Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
-rw-r--r-- | misc-utils/flashcp.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/misc-utils/flashcp.c b/misc-utils/flashcp.c index 9e92fa2..1dc0877 100644 --- a/misc-utils/flashcp.c +++ b/misc-utils/flashcp.c @@ -57,9 +57,6 @@ #define KB(x) ((x) / 1024) #define PERCENTAGE(x,total) (((x) * 100) / (total)) -/* size of read/write buffer */ -#define BUFSIZE (10 * 1024) - /* cmd-line flags */ #define FLAG_NONE 0x00 #define FLAG_HELP 0x02 @@ -222,7 +219,7 @@ int main (int argc,char *argv[]) struct mtd_info_user mtd; struct erase_info_user erase; struct stat filestat; - unsigned char src[BUFSIZE],dest[BUFSIZE]; + unsigned char *src,*dest; /********************* * parse cmd-line @@ -304,6 +301,14 @@ int main (int argc,char *argv[]) if (filestat.st_size > mtd.size) log_failure("%s won't fit into %s!\n",filename,device); + src = malloc(mtd.erasesize); + if (!src) + log_failure("Malloc failed"); + + dest = malloc(mtd.erasesize); + if (!dest) + log_failure("Malloc failed"); + /* diff block flashcp */ if (flags & FLAG_PARTITION) { @@ -355,11 +360,11 @@ int main (int argc,char *argv[]) log_verbose ("Writing data: 0k/%lluk (0%%)",KB ((unsigned long long)filestat.st_size)); size = filestat.st_size; - i = BUFSIZE; + i = mtd.erasesize; written = 0; while (size) { - if (size < BUFSIZE) i = size; + if (size < mtd.erasesize) i = size; log_verbose ("\rWriting data: %dk/%lluk (%llu%%)", KB (written + i), KB ((unsigned long long)filestat.st_size), @@ -386,12 +391,12 @@ int main (int argc,char *argv[]) safe_rewind (fil_fd,filename); safe_rewind (dev_fd,device); size = filestat.st_size; - i = BUFSIZE; + i = mtd.erasesize; written = 0; log_verbose ("Verifying data: 0k/%lluk (0%%)",KB ((unsigned long long)filestat.st_size)); while (size) { - if (size < BUFSIZE) i = size; + if (size < mtd.erasesize) i = size; log_verbose ("\rVerifying data: %luk/%lluk (%llu%%)", KB (written + i), KB ((unsigned long long)filestat.st_size), |