diff options
| author | Tomer Barletz <barletz@gmail.com> | 2012-06-26 14:46:41 -0700 |
|---|---|---|
| committer | Artem Bityutskiy <artem.bityutskiy@linux.intel.com> | 2012-06-29 11:29:26 +0300 |
| commit | d7f1b2f9abde75b88e69490d619857c82e7e3517 (patch) | |
| tree | 9c27a34eb16ec25713f65154819291a165829089 /nandwrite.c | |
| parent | 5625ce5e25bcdc04603a4e44f228fe4a3586e77a (diff) | |
mtd-utils: Check mtdoffset is not larger than mtd.size in case of a bad block.
mtdoffset is being tested against mtd.size in the outer two loops, but
the third nested one does not test against it.
In case of a bad block we'll try to access an out of bounds offset in
the next MEMGETBADBLOCK ioctl, which will fail with EINVAL.
In case mtdoffset is indeed larger than the partition size, we need to
bail, since there are not enough "good" blocks to complete the write.
Signed-off-by: Tomer Barletz <barletz@gmail.com>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Diffstat (limited to 'nandwrite.c')
| -rw-r--r-- | nandwrite.c | 11 |
1 files changed, 9 insertions, 2 deletions
diff --git a/nandwrite.c b/nandwrite.c index ca0c263..de8e7d2 100644 --- a/nandwrite.c +++ b/nandwrite.c @@ -385,7 +385,8 @@ int main(int argc, char * const argv[]) continue; do { - if ((ret = mtd_is_bad(&mtd, fd, offs / ebsize_aligned)) < 0) { + ret = mtd_is_bad(&mtd, fd, offs / ebsize_aligned); + if (ret < 0) { sys_errmsg("%s: MTD get bad block failed", mtd_device); goto closeall; } else if (ret == 1) { @@ -396,9 +397,15 @@ int main(int argc, char * const argv[]) offs, blockalign, blockstart); } - if (baderaseblock) + if (baderaseblock) { mtdoffset = blockstart + ebsize_aligned; + if (mtdoffset > mtd.size) { + errmsg("too many bad blocks, cannot complete request"); + goto closeall; + } + } + offs += ebsize_aligned / blockalign; } while (offs < blockstart + ebsize_aligned); |