aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorBrandon Maier <brandon.maier@collins.com>2022-11-02 17:47:55 -0500
committerDavid Oberhollenzer <david.oberhollenzer@sigma-star.at>2022-11-07 08:24:42 +0100
commit92d826ac57e753da120a82cded354931b3fe8e76 (patch)
tree200a63e08ed29dc633e0f06247801955ebcdd0b2
parent345c5bde41fc1238a3f3b9b1a52e30ec7ab99b6e (diff)
misc-utils: flashcp: fix buffer overflow
The DIFF_BLOCKS code requires that src and dest buffers be large enough to hold one MTD erasesize. This is because each loop operates on one eraseblock so that it can erase and write one whole sector. But the src and dest buffers are fixed at BUFSIZE, so on platforms where the MTD erasesize are larger then BUFSIZE it will overflow the buffers. Instead allocate the buffers dynamically so that they can be sized to fit the erasesize. Signed-off-by: Brandon Maier <brandon.maier@collins.com> Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>
-rw-r--r--misc-utils/flashcp.c21
1 files changed, 13 insertions, 8 deletions
diff --git a/misc-utils/flashcp.c b/misc-utils/flashcp.c
index 9e92fa2..1dc0877 100644
--- a/misc-utils/flashcp.c
+++ b/misc-utils/flashcp.c
@@ -57,9 +57,6 @@
#define KB(x) ((x) / 1024)
#define PERCENTAGE(x,total) (((x) * 100) / (total))
-/* size of read/write buffer */
-#define BUFSIZE (10 * 1024)
-
/* cmd-line flags */
#define FLAG_NONE 0x00
#define FLAG_HELP 0x02
@@ -222,7 +219,7 @@ int main (int argc,char *argv[])
struct mtd_info_user mtd;
struct erase_info_user erase;
struct stat filestat;
- unsigned char src[BUFSIZE],dest[BUFSIZE];
+ unsigned char *src,*dest;
/*********************
* parse cmd-line
@@ -304,6 +301,14 @@ int main (int argc,char *argv[])
if (filestat.st_size > mtd.size)
log_failure("%s won't fit into %s!\n",filename,device);
+ src = malloc(mtd.erasesize);
+ if (!src)
+ log_failure("Malloc failed");
+
+ dest = malloc(mtd.erasesize);
+ if (!dest)
+ log_failure("Malloc failed");
+
/* diff block flashcp */
if (flags & FLAG_PARTITION)
{
@@ -355,11 +360,11 @@ int main (int argc,char *argv[])
log_verbose ("Writing data: 0k/%lluk (0%%)",KB ((unsigned long long)filestat.st_size));
size = filestat.st_size;
- i = BUFSIZE;
+ i = mtd.erasesize;
written = 0;
while (size)
{
- if (size < BUFSIZE) i = size;
+ if (size < mtd.erasesize) i = size;
log_verbose ("\rWriting data: %dk/%lluk (%llu%%)",
KB (written + i),
KB ((unsigned long long)filestat.st_size),
@@ -386,12 +391,12 @@ int main (int argc,char *argv[])
safe_rewind (fil_fd,filename);
safe_rewind (dev_fd,device);
size = filestat.st_size;
- i = BUFSIZE;
+ i = mtd.erasesize;
written = 0;
log_verbose ("Verifying data: 0k/%lluk (0%%)",KB ((unsigned long long)filestat.st_size));
while (size)
{
- if (size < BUFSIZE) i = size;
+ if (size < mtd.erasesize) i = size;
log_verbose ("\rVerifying data: %luk/%lluk (%llu%%)",
KB (written + i),
KB ((unsigned long long)filestat.st_size),