pxe: Ensure we don't overflow bootargs
authorIan Campbell <ian.campbell@citrix.com>
Fri, 3 Oct 2014 13:29:01 +0000 (14:29 +0100)
committerTom Rini <trini@ti.com>
Fri, 10 Oct 2014 13:44:21 +0000 (09:44 -0400)
On a couple of platforms I've tripped over long PXE append lines overflowing
this array, due to having CONFIG_SYS_CBSIZE == 256. When doing preseeded Debian
installs it's pretty trivial to exceed that.

Since the symptom can be a silent hang or a crash add a check. Of course the
affected boards would also need an increased CBSIZE to actually work.

Note that due to the printing of the final bootargs string CONFIG_SYS_PBSIZE
also needs to be sufficiently large.

Signed-off-by: Ian Campbell <ian.campbell@citrix.com>
[trini: Use %zd not %d in printf for all args]
Signed-off-by: Tom Rini <trini@ti.com>
common/cmd_pxe.c

index 0ab1e0aaa63fa13e8b60a78ea3b7fb1a9698b293..7e32c95df3217bc575dd39be2a71fd3f6e0deea3 100644 (file)
@@ -674,6 +674,15 @@ static int label_boot(cmd_tbl_t *cmdtp, struct pxe_label *label)
                char bootargs[CONFIG_SYS_CBSIZE] = "";
                char finalbootargs[CONFIG_SYS_CBSIZE];
 
+               if (strlen(label->append ?: "") +
+                   strlen(ip_str) + strlen(mac_str) + 1 > sizeof(bootargs)) {
+                       printf("bootarg overflow %zd+%zd+%zd+1 > %zd\n",
+                              strlen(label->append ?: ""),
+                              strlen(ip_str), strlen(mac_str),
+                              sizeof(bootargs));
+                       return 1;
+               }
+
                if (label->append)
                        strcpy(bootargs, label->append);
                strcat(bootargs, ip_str);