From: Gerlando Falauto Date: Tue, 3 Apr 2012 04:34:13 +0000 (+0000) Subject: cmd_sf: add size checking to spi flash commands X-Git-Tag: v2012.10-rc1~418 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=864939949eda9108fb7bc350af040500cd102954;p=oweals%2Fu-boot.git cmd_sf: add size checking to spi flash commands SPI flash operations inadvertently stretching beyond the flash size will result in a wraparound. This may be particularly dangerous when burning u-boot, because the flash contents will be corrupted rendering the board unusable, without any warning being issued. So add a consistency checking so not to overflow past the flash size. Signed-off-by: Gerlando Falauto Signed-off-by: Mike Frysinger --- diff --git a/common/cmd_sf.c b/common/cmd_sf.c index 9c76464a9a..5ac1d0c4c1 100644 --- a/common/cmd_sf.c +++ b/common/cmd_sf.c @@ -211,6 +211,13 @@ static int do_spi_flash_read_write(int argc, char * const argv[]) if (*argv[3] == 0 || *endp != 0) return -1; + /* Consistency checking */ + if (offset + len > flash->size) { + printf("ERROR: attempting %s past flash size (%#x)\n", + argv[0], flash->size); + return 1; + } + buf = map_physmem(addr, len, MAP_WRBACK); if (!buf) { puts("Failed to map physical memory\n"); @@ -252,6 +259,13 @@ static int do_spi_flash_erase(int argc, char * const argv[]) if (ret != 1) return -1; + /* Consistency checking */ + if (offset + len > flash->size) { + printf("ERROR: attempting %s past flash size (%#x)\n", + argv[0], flash->size); + return 1; + } + ret = spi_flash_erase(flash, offset, len); if (ret) { printf("SPI flash %s failed\n", argv[0]);