buf is an array of size DFU_ALT_BUF_LEN bytes. It is gradually filled with data using snprintf but the size argument to snprintf is kept at DFU_ALT_BUF_LEN, making it possible to overflow the buffer. Fix this bug using the correct buffer size: DFU_ALT_BUF_LEN - len.
Signed-off-by: Francois Berder <[email protected]> --- board/xilinx/versal/board.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/board/xilinx/versal/board.c b/board/xilinx/versal/board.c index 9371c30ea27..978909840b9 100644 --- a/board/xilinx/versal/board.c +++ b/board/xilinx/versal/board.c @@ -418,14 +418,14 @@ void configure_capsule_updates(void) case SD_MODE1: bootseq = mmc_get_env_dev(); - len += snprintf(buf + len, DFU_ALT_BUF_LEN, "mmc %d=boot", + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "mmc %d=boot", bootseq); if (multiboot) - len += snprintf(buf + len, DFU_ALT_BUF_LEN, + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "%04d", multiboot); - len += snprintf(buf + len, DFU_ALT_BUF_LEN, ".bin fat %d 1", + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, ".bin fat %d 1", bootseq); break; case QSPI_MODE_24BIT: @@ -438,7 +438,7 @@ void configure_capsule_updates(void) mtd_found_part(&base, &limit); - len += snprintf(buf + len, DFU_ALT_BUF_LEN, + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "sf 0:0=boot.bin raw 0x%x 0x%x", base, limit); } -- 2.43.0
