From: Ian Campbell Date: Fri, 3 Oct 2014 13:29:01 +0000 (+0100) Subject: pxe: Ensure we don't overflow bootargs X-Git-Tag: v2025.01-rc5-pxa1908~14581 X-Git-Url: http://git.dujemihanovic.xyz/html/%7B%7B%20%28.OutputFormats.Get?a=commitdiff_plain;h=64a0c24726530696bf0c2cdaa75d171d957a7ee0;p=u-boot.git pxe: Ensure we don't overflow bootargs On a couple of platforms I've tripped over long PXE append lines overflowing this array, due to having CONFIG_SYS_CBSIZE == 256. When doing preseeded Debian installs it's pretty trivial to exceed that. Since the symptom can be a silent hang or a crash add a check. Of course the affected boards would also need an increased CBSIZE to actually work. Note that due to the printing of the final bootargs string CONFIG_SYS_PBSIZE also needs to be sufficiently large. Signed-off-by: Ian Campbell [trini: Use %zd not %d in printf for all args] Signed-off-by: Tom Rini --- diff --git a/common/cmd_pxe.c b/common/cmd_pxe.c index 0ab1e0aaa6..7e32c95df3 100644 --- a/common/cmd_pxe.c +++ b/common/cmd_pxe.c @@ -674,6 +674,15 @@ static int label_boot(cmd_tbl_t *cmdtp, struct pxe_label *label) char bootargs[CONFIG_SYS_CBSIZE] = ""; char finalbootargs[CONFIG_SYS_CBSIZE]; + if (strlen(label->append ?: "") + + strlen(ip_str) + strlen(mac_str) + 1 > sizeof(bootargs)) { + printf("bootarg overflow %zd+%zd+%zd+1 > %zd\n", + strlen(label->append ?: ""), + strlen(ip_str), strlen(mac_str), + sizeof(bootargs)); + return 1; + } + if (label->append) strcpy(bootargs, label->append); strcat(bootargs, ip_str);