buf is an array of size DFU_ALT_BUF_LEN bytes. It is gradually filled with data using snprintf but the size argument to snprintf is kept at DFU_ALT_BUF_LEN, making it possible to overflow the buffer. Fix this bug using the correct buffer size: DFU_ALT_BUF_LEN - len.
Signed-off-by: Francois Berder <[email protected]> --- board/xilinx/zynqmp/zynqmp.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/board/xilinx/zynqmp/zynqmp.c b/board/xilinx/zynqmp/zynqmp.c index a1d8ae26673..272e92d8465 100644 --- a/board/xilinx/zynqmp/zynqmp.c +++ b/board/xilinx/zynqmp/zynqmp.c @@ -706,18 +706,18 @@ void configure_capsule_updates(void) case SD_MODE1: bootseq = mmc_get_env_dev(); - len += snprintf(buf + len, DFU_ALT_BUF_LEN, "mmc %d=boot", + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "mmc %d=boot", bootseq); if (multiboot) - len += snprintf(buf + len, DFU_ALT_BUF_LEN, + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "%04d", multiboot); - len += snprintf(buf + len, DFU_ALT_BUF_LEN, ".bin fat %d 1", + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, ".bin fat %d 1", bootseq); #if defined(CONFIG_SPL_FS_LOAD_PAYLOAD_NAME) if (strlen(CONFIG_SPL_FS_LOAD_PAYLOAD_NAME)) - len += snprintf(buf + len, DFU_ALT_BUF_LEN, + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, ";%s fat %d 1", CONFIG_SPL_FS_LOAD_PAYLOAD_NAME, bootseq); @@ -737,12 +737,12 @@ void configure_capsule_updates(void) limit = CONFIG_SYS_SPI_U_BOOT_OFFS; #endif - len += snprintf(buf + len, DFU_ALT_BUF_LEN, + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "sf 0:0=boot.bin raw 0x%x 0x%x", base, limit); #if defined(CONFIG_SPL_FS_LOAD_PAYLOAD_NAME) && defined(CONFIG_SYS_SPI_U_BOOT_OFFS) if (strlen(CONFIG_SPL_FS_LOAD_PAYLOAD_NAME)) - len += snprintf(buf + len, DFU_ALT_BUF_LEN, + len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, ";%s raw 0x%x 0x%x", CONFIG_SPL_FS_LOAD_PAYLOAD_NAME, base + limit, size - limit); -- 2.43.0
