From 21a8b9c2ac453dce1cfe26cca6f2ba14964c29f5 Mon Sep 17 00:00:00 2001
From: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
Date: Mon, 11 May 2009 19:22:34 +0300
Subject: ubi-utils: fix memory corruptions

This patch contains changes similar to the ones in the previous
patch.

Also, it changes all invocations of memset and makes sure
the argument is 0, not '\0', because memset expects int,
not char.

Signed-off-by: Artem Bityutskiy <Artem.Bityutskiy@nokia.com>
---
 ubi-utils/src/libmtd.c | 21 +++++++++++++++------
 1 file changed, 15 insertions(+), 6 deletions(-)

(limited to 'ubi-utils/src/libmtd.c')

diff --git a/ubi-utils/src/libmtd.c b/ubi-utils/src/libmtd.c
index 046beea..b050bea 100644
--- a/ubi-utils/src/libmtd.c
+++ b/ubi-utils/src/libmtd.c
@@ -89,6 +89,14 @@ static int read_data(const char *file, void *buf, int buf_len)
 		goto out_error;
 	}
 
+	if (rd == buf_len) {
+		errmsg("contents of \"%s\" is too long", file);
+		errno = EINVAL;
+		goto out_error;
+	}
+
+	((char *)buf)[rd] = '\0';
+
 	/* Make sure all data is read */
 	tmp1 = read(fd, &tmp, 1);
 	if (tmp1 == 1) {
@@ -199,16 +207,17 @@ static int read_hex_ll(const char *file, long long *value)
 	if (fd == -1)
 		return -1;
 
-	rd = read(fd, buf, 50);
+	rd = read(fd, buf, sizeof(buf));
 	if (rd == -1) {
 		sys_errmsg("cannot read \"%s\"", file);
 		goto out_error;
 	}
-	if (rd == 50) {
+	if (rd == sizeof(buf)) {
 		errmsg("contents of \"%s\" is too long", file);
 		errno = EINVAL;
 		goto out_error;
 	}
+	buf[rd] = '\0';
 
 	if (sscanf(buf, "%llx\n", value) != 1) {
 		errmsg("cannot read integer from \"%s\"\n", file);
@@ -571,7 +580,7 @@ int mtd_get_info(libmtd_t desc, struct mtd_info *info)
 	struct dirent *dirent;
 	struct libmtd *lib = (struct libmtd *)desc;
 
-	memset(info, '\0', sizeof(struct mtd_info));
+	memset(info, 0, sizeof(struct mtd_info));
 
 	if (!lib->sysfs_supported)
 		return legacy_mtd_get_info(info);
@@ -643,7 +652,7 @@ int mtd_get_dev_info1(libmtd_t desc, int dev_num, struct mtd_dev_info *mtd)
 	struct stat st;
 	struct libmtd *lib = (struct libmtd *)desc;
 
-	memset(mtd, '\0', sizeof(struct mtd_dev_info));
+	memset(mtd, 0, sizeof(struct mtd_dev_info));
 	mtd->dev_num = dev_num;
 
 	if (!lib->sysfs_supported)
@@ -663,13 +672,13 @@ int mtd_get_dev_info1(libmtd_t desc, int dev_num, struct mtd_dev_info *mtd)
 		return -1;
 
 	ret = dev_read_data(lib->mtd_name, dev_num, &mtd->name,
-			    MTD_NAME_MAX);
+			    MTD_NAME_MAX + 1);
 	if (ret < 0)
 		return -1;
 	((char *)mtd->name)[ret - 1] = '\0';
 
 	ret = dev_read_data(lib->mtd_type, dev_num, &mtd->type_str,
-			    MTD_TYPE_MAX);
+			    MTD_TYPE_MAX + 1);
 	if (ret < 0)
 		return -1;
 	((char *)mtd->type_str)[ret - 1] = '\0';
-- 
cgit v1.2.3