From 772aa9799353d1d6bd6d9e2682945d4d7122539a Mon Sep 17 00:00:00 2001 From: Boris Brezillon Date: Sun, 2 Dec 2018 10:54:28 +0100 Subject: [PATCH] mtd: Make sure the name passed in mtdparts fits in mtd_name[] The local mtd_name[] variable is limited in size. Return an error if the name passed in mtdparts does not fit in this local var. Fixes: 5db66b3aee6f ("cmd: mtd: add 'mtd' command") Signed-off-by: Boris Brezillon Tested-by: Heiko Schocher --- drivers/mtd/mtd_uboot.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/drivers/mtd/mtd_uboot.c b/drivers/mtd/mtd_uboot.c index d551aee202..0eda362783 100644 --- a/drivers/mtd/mtd_uboot.c +++ b/drivers/mtd/mtd_uboot.c @@ -222,8 +222,8 @@ int mtd_probe_devices(void) while (mtdparts[0] != '\0') { char mtd_name[MTD_NAME_MAX_LEN], *colon; struct mtd_partition *parts; - int mtd_name_len, nparts; - int ret; + unsigned int mtd_name_len; + int nparts, ret; colon = strchr(mtdparts, ':'); if (!colon) { @@ -231,7 +231,12 @@ int mtd_probe_devices(void) return -EINVAL; } - mtd_name_len = colon - mtdparts; + mtd_name_len = (unsigned int)(colon - mtdparts); + if (mtd_name_len + 1 > sizeof(mtd_name)) { + printf("MTD name too long: %s\n", mtdparts); + return -EINVAL; + } + strncpy(mtd_name, mtdparts, mtd_name_len); mtd_name[mtd_name_len] = '\0'; /* Move the pointer forward (including the ':') */ -- 2.25.1