[PATCH mtd-utils 5/7] misc-utils: flashcp: fix buffer overflow
Brandon Maier
brandon.maier at collins.com
Wed Nov 2 15:47:55 PDT 2022
The DIFF_BLOCKS code requires that src and dest buffers be large enough
to hold one MTD erasesize. This is because each loop operates on one
eraseblock so that it can erase and write one whole sector. But the src
and dest buffers are fixed at BUFSIZE, so on platforms where the MTD
erasesize are larger then BUFSIZE it will overflow the buffers.
Instead allocate the buffers dynamically so that they can be sized to
fit the erasesize.
Signed-off-by: Brandon Maier <brandon.maier at collins.com>
---
misc-utils/flashcp.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
diff --git a/misc-utils/flashcp.c b/misc-utils/flashcp.c
index 9e669b4..02be081 100644
--- a/misc-utils/flashcp.c
+++ b/misc-utils/flashcp.c
@@ -57,9 +57,6 @@
#define KB(x) ((x) / 1024)
#define PERCENTAGE(x,total) (((x) * 100) / (total))
-/* size of read/write buffer */
-#define BUFSIZE (10 * 1024)
-
/* cmd-line flags */
#define FLAG_NONE 0x00
#define FLAG_HELP 0x02
@@ -222,7 +219,7 @@ int main (int argc,char *argv[])
struct mtd_info_user mtd;
struct erase_info_user erase;
struct stat filestat;
- unsigned char src[BUFSIZE],dest[BUFSIZE];
+ unsigned char *src,*dest;
/*********************
* parse cmd-line
@@ -305,6 +302,14 @@ int main (int argc,char *argv[])
if (filestat.st_size > mtd.size)
log_failure("%s won't fit into %s!\n",filename,device);
+ src = malloc(mtd.erasesize);
+ if (!src)
+ log_failure("Malloc failed");
+
+ dest = malloc(mtd.erasesize);
+ if (!dest)
+ log_failure("Malloc failed");
+
/* diff block flashcp */
if (flags & FLAG_PARTITION)
{
@@ -356,11 +361,11 @@ int main (int argc,char *argv[])
log_verbose ("Writing data: 0k/%lluk (0%%)",KB ((unsigned long long)filestat.st_size));
size = filestat.st_size;
- i = BUFSIZE;
+ i = mtd.erasesize;
written = 0;
while (size)
{
- if (size < BUFSIZE) i = size;
+ if (size < mtd.erasesize) i = size;
log_verbose ("\rWriting data: %dk/%lluk (%llu%%)",
KB (written + i),
KB ((unsigned long long)filestat.st_size),
@@ -387,12 +392,12 @@ int main (int argc,char *argv[])
safe_rewind (fil_fd,filename);
safe_rewind (dev_fd,device);
size = filestat.st_size;
- i = BUFSIZE;
+ i = mtd.erasesize;
written = 0;
log_verbose ("Verifying data: 0k/%lluk (0%%)",KB ((unsigned long long)filestat.st_size));
while (size)
{
- if (size < BUFSIZE) i = size;
+ if (size < mtd.erasesize) i = size;
log_verbose ("\rVerifying data: %luk/%lluk (%llu%%)",
KB (written + i),
KB ((unsigned long long)filestat.st_size),
--
2.38.1
More information about the linux-mtd
mailing list