From: Michal Simek Date: Fri, 6 Nov 2020 12:55:45 +0000 (+0100) Subject: fru: ops: Do not let parser to write data to not allocated space X-Git-Tag: v2025.01-rc5-pxa1908~2120^2~1 X-Git-Url: http://git.dujemihanovic.xyz/img/static/%7B%7B%20%24image.RelPermalink%20%7D%7D?a=commitdiff_plain;h=b8771d0b1d660dfe34d55ddf320495325315d1d9;p=u-boot.git fru: ops: Do not let parser to write data to not allocated space If customs fields in board area are used it will likely go over allocated space in struct fru_board_data. That's why calculate limit of this structure to make sure that different data is not rewritten by accident. When limit is reached stop to record fields. Signed-off-by: Michal Simek --- diff --git a/board/xilinx/common/fru_ops.c b/board/xilinx/common/fru_ops.c index affcb121aa..b4cd3d4998 100644 --- a/board/xilinx/common/fru_ops.c +++ b/board/xilinx/common/fru_ops.c @@ -163,12 +163,15 @@ static int fru_parse_board(unsigned long addr) { u8 i, type; int len; - u8 *data, *term; + u8 *data, *term, *limit; memcpy(&fru_data.brd.ver, (void *)addr, 6); addr += 6; data = (u8 *)&fru_data.brd.manufacturer_type_len; + /* Record max structure limit not to write data over allocated space */ + limit = data + sizeof(struct fru_board_data); + for (i = 0; ; i++, data += FRU_BOARD_MAX_LEN) { len = fru_check_type_len(*(u8 *)addr, fru_data.brd.lang_code, &type); @@ -178,6 +181,9 @@ static int fru_parse_board(unsigned long addr) if (len == -EINVAL) break; + /* Stop when amount of chars is more then fields to record */ + if (data + len > limit) + break; /* This record type/len field */ *data++ = *(u8 *)addr;