From 142775a52bc97d5273922970b8a9cc9f95091359 Mon Sep 17 00:00:00 2001 From: Pedro Aguilar Date: Mon, 31 Aug 2020 11:01:41 +0200 Subject: [PATCH] env: Crash in 'env import' when using checksum and a specific size This patch adds a sanity check that avoids 'size' to overflow and crash when importing an environment that contains a checksum. Example with the wrong size that causes the crash: => env import -c 0x4100000 3 v1 This assumes that v1 has already been successfully exported with 'env export -c -s 0x100 0x4100000 v1' Signed-off-by: Pedro Aguilar --- cmd/nvedit.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/cmd/nvedit.c b/cmd/nvedit.c index d188c6aa6b..9f145dd284 100644 --- a/cmd/nvedit.c +++ b/cmd/nvedit.c @@ -1171,6 +1171,11 @@ static int do_env_import(struct cmd_tbl *cmdtp, int flag, uint32_t crc; env_t *ep = (env_t *)ptr; + if (size <= offsetof(env_t, data)) { + printf("## Error: Invalid size 0x%zX\n", size); + return 1; + } + size -= offsetof(env_t, data); memcpy(&crc, &ep->crc, sizeof(crc)); -- 2.39.5