[PATCH] nftl_format: prevent buffer overflow in BadUnitTable access
David Oberhollenzer
david.oberhollenzer at sigma-star.at
Sun Apr 12 23:17:59 PDT 2026
Hi,
On 1/27/26 2:16 PM, Anton Moryakov wrote:
> However, `BadUnitTable` is a fixed-size array of
> `MAX_ERASE_ZONES` elements (typically 1024 or 4096).
>
> If the MTD device has more erase blocks than `MAX_ERASE_ZONES`,
> `ezone` can exceed the array bounds, causing a buffer overflow.
>
> Fix by limiting the loop upper bound to `MIN(maxzones, MAX_ERASE_ZONES)`.
>
I get that this would silence the static analyzer, but wouldn't that
introduce a different (logic) bug where the tool now silently fails
to handle erase zones past a magic limit?
I think the correct thing to do here is to dynamically allocate the
array based on the number of erase blocks.
Greetings,
David
More information about the linux-mtd
mailing list