On 6/1/26 15:02, Francois Berder wrote:
buf is an array of size DFU_ALT_BUF_LEN bytes.
It is gradually filled with data using snprintf but the
size argument to snprintf is kept at DFU_ALT_BUF_LEN,
making it possible to overflow the buffer.
Fix this bug using the correct buffer size:
DFU_ALT_BUF_LEN - len.
Signed-off-by: Francois Berder <[email protected]>
---
board/xilinx/versal/board.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/board/xilinx/versal/board.c b/board/xilinx/versal/board.c
index 9371c30ea27..978909840b9 100644
--- a/board/xilinx/versal/board.c
+++ b/board/xilinx/versal/board.c
@@ -418,14 +418,14 @@ void configure_capsule_updates(void)
case SD_MODE1:
bootseq = mmc_get_env_dev();
- len += snprintf(buf + len, DFU_ALT_BUF_LEN, "mmc %d=boot",
+ len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, "mmc %d=boot",
bootseq);
if (multiboot)
- len += snprintf(buf + len, DFU_ALT_BUF_LEN,
+ len += snprintf(buf + len, DFU_ALT_BUF_LEN - len,
"%04d", multiboot);
- len += snprintf(buf + len, DFU_ALT_BUF_LEN, ".bin fat %d 1",
+ len += snprintf(buf + len, DFU_ALT_BUF_LEN - len, ".bin fat %d
1",
bootseq);
break;
case QSPI_MODE_24BIT:
@@ -438,7 +438,7 @@ void configure_capsule_updates(void)
mtd_found_part(&base, &limit);
- len += snprintf(buf + len, DFU_ALT_BUF_LEN,
+ len += snprintf(buf + len, DFU_ALT_BUF_LEN - len,
"sf 0:0=boot.bin raw 0x%x 0x%x",
base, limit);
}
Please look at my reply in your second patch and please use scnprintf instead.
Thanks,
Michal
