cmd_sf: add size checking to spi flash commands
authorGerlando Falauto <gerlando.falauto@keymile.com>
Tue, 3 Apr 2012 04:34:13 +0000 (04:34 +0000)
committerMike Frysinger <vapier@gentoo.org>
Tue, 3 Apr 2012 04:34:13 +0000 (04:34 +0000)
SPI flash operations inadvertently stretching beyond the flash size will
result in a wraparound. This may be particularly dangerous when burning
u-boot, because the flash contents will be corrupted rendering the board
unusable, without any warning being issued.
So add a consistency checking so not to overflow past the flash size.

Signed-off-by: Gerlando Falauto <gerlando.falauto@keymile.com>
Signed-off-by: Mike Frysinger <vapier@gentoo.org>
common/cmd_sf.c

index 9c76464a9a84a72862d97e4d1235f57785cb1e7b..5ac1d0c4c1ef4ef9cc34b30b3e056b2a76744beb 100644 (file)
@@ -211,6 +211,13 @@ static int do_spi_flash_read_write(int argc, char * const argv[])
        if (*argv[3] == 0 || *endp != 0)
                return -1;
 
+       /* Consistency checking */
+       if (offset + len > flash->size) {
+               printf("ERROR: attempting %s past flash size (%#x)\n",
+                       argv[0], flash->size);
+               return 1;
+       }
+
        buf = map_physmem(addr, len, MAP_WRBACK);
        if (!buf) {
                puts("Failed to map physical memory\n");
@@ -252,6 +259,13 @@ static int do_spi_flash_erase(int argc, char * const argv[])
        if (ret != 1)
                return -1;
 
+       /* Consistency checking */
+       if (offset + len > flash->size) {
+               printf("ERROR: attempting %s past flash size (%#x)\n",
+                       argv[0], flash->size);
+               return 1;
+       }
+
        ret = spi_flash_erase(flash, offset, len);
        if (ret) {
                printf("SPI flash %s failed\n", argv[0]);