dany/u-boot-megous
1
0
Fork 0
mirror of https://xff.cz/git/u-boot/ synced 2025-09-02 17:22:22 +02:00
Code Issues Packages Projects Releases Wiki Activity

xyz-modem: Fix crash after cancelling transfer

Browse Source 
Variable xyz.len is set to -1 on error. At the end xyzModem_stream_read()
function calls memcpy() with length from variable xyz.len. If this variable
is set to -1 then value passed to memcpy is casted to unsigned value, which
means to copy whole address space. Which then cause U-Boot crash. E.g. on
arm64 it cause CPU crash: "Synchronous Abort" handler, esr 0x96000006

Fix this issue by checking that value stored in xyz.len is valid prior
trying to use it.

Signed-off-by: Pali Rohár <pali@kernel.org>
Acked-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
This commit is contained in:
Pali Rohár
2021-08-03 16:28:38 +02:00
committed by Tom Rini
parent 0017931971
commit 1e7478461b
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
common/xyzModem.c
View File

@@ -494,7 +494,7 @@ xyzModem_stream_read (char *buf, int size, int *err)
total = 0; total = 0;
stat = xyzModem_cancel; stat = xyzModem_cancel;
/* Try and get 'size' bytes into the buffer */ /* Try and get 'size' bytes into the buffer */
while (!xyz.at_eof && (size > 0)) while (!xyz.at_eof && xyz.len >= 0 && (size > 0))
{ {
if (xyz.len == 0) if (xyz.len == 0)
{ {
@@ -587,7 +587,7 @@ xyzModem_stream_read (char *buf, int size, int *err)
} }
} }
/* Don't "read" data from the EOF protocol package */ /* Don't "read" data from the EOF protocol package */
if (!xyz.at_eof) if (!xyz.at_eof && xyz.len > 0)
{ {
len = xyz.len; len = xyz.len;
if (size < len) if (size < len)