diff options
| author | Rob Herring <rob.herring@calxeda.com> | 2013-03-22 11:26:21 +0000 |
|---|---|---|
| committer | Tom Rini <trini@ti.com> | 2013-04-02 16:23:34 -0400 |
| commit | 60d7d5a63189c9f77a190c9965861dc15482c2d0 (patch) | |
| tree | 68bf7c543f8f282142eb7a10c700b3a3d86341fb /common/env_sf.c | |
| parent | c17b94ec5ec89c63070dd385b6c3a6645761c405 (diff) | |
| download | olio-uboot-2014.01-60d7d5a63189c9f77a190c9965861dc15482c2d0.tar.xz olio-uboot-2014.01-60d7d5a63189c9f77a190c9965861dc15482c2d0.zip | |
env: fix potential stack overflow in environment functions
Most of the various environment functions create CONFIG_ENV_SIZE buffers on
the stack. At least on ARM and PPC which have 4KB stacks, this can overflow
the stack if we have large environment sizes. So move all the buffers off
the stack to static buffers.
Signed-off-by: Rob Herring <rob.herring@calxeda.com>
Diffstat (limited to 'common/env_sf.c')
| -rw-r--r-- | common/env_sf.c | 23 |
1 files changed, 12 insertions, 11 deletions
diff --git a/common/env_sf.c b/common/env_sf.c index d9e908546..9a592ba95 100644 --- a/common/env_sf.c +++ b/common/env_sf.c @@ -58,11 +58,12 @@ DECLARE_GLOBAL_DATA_PTR; char *env_name_spec = "SPI Flash"; static struct spi_flash *env_flash; +static char env_buf[CONFIG_ENV_SIZE]; #if defined(CONFIG_ENV_OFFSET_REDUND) int saveenv(void) { - env_t env_new; + env_t *env_new = (env_t *)env_buf; ssize_t len; char *res, *saved_buffer = NULL, flag = OBSOLETE_FLAG; u32 saved_size, saved_offset, sector = 1; @@ -78,14 +79,14 @@ int saveenv(void) } } - res = (char *)&env_new.data; + res = (char *)env_new->data; len = hexport_r(&env_htab, '\0', 0, &res, ENV_SIZE, 0, NULL); if (len < 0) { error("Cannot export environment: errno = %d\n", errno); return 1; } - env_new.crc = crc32(0, env_new.data, ENV_SIZE); - env_new.flags = ACTIVE_FLAG; + env_new->crc = crc32(0, env_new->data, ENV_SIZE); + env_new->flags = ACTIVE_FLAG; if (gd->env_valid == 1) { env_new_offset = CONFIG_ENV_OFFSET_REDUND; @@ -125,7 +126,7 @@ int saveenv(void) puts("Writing to SPI flash..."); ret = spi_flash_write(env_flash, env_new_offset, - CONFIG_ENV_SIZE, &env_new); + CONFIG_ENV_SIZE, env_new); if (ret) goto done; @@ -137,7 +138,7 @@ int saveenv(void) } ret = spi_flash_write(env_flash, env_offset + offsetof(env_t, flags), - sizeof(env_new.flags), &flag); + sizeof(env_new->flags), &flag); if (ret) goto done; @@ -243,7 +244,7 @@ int saveenv(void) u32 saved_size, saved_offset, sector = 1; char *res, *saved_buffer = NULL; int ret = 1; - env_t env_new; + env_t *env_new = (env_t *)env_buf; ssize_t len; if (!env_flash) { @@ -276,13 +277,13 @@ int saveenv(void) sector++; } - res = (char *)&env_new.data; + res = (char *)env_new->data; len = hexport_r(&env_htab, '\0', 0, &res, ENV_SIZE, 0, NULL); if (len < 0) { error("Cannot export environment: errno = %d\n", errno); goto done; } - env_new.crc = crc32(0, env_new.data, ENV_SIZE); + env_new->crc = crc32(0, env_new->data, ENV_SIZE); puts("Erasing SPI flash..."); ret = spi_flash_erase(env_flash, CONFIG_ENV_OFFSET, @@ -292,7 +293,7 @@ int saveenv(void) puts("Writing to SPI flash..."); ret = spi_flash_write(env_flash, CONFIG_ENV_OFFSET, - CONFIG_ENV_SIZE, &env_new); + CONFIG_ENV_SIZE, env_new); if (ret) goto done; @@ -315,7 +316,7 @@ int saveenv(void) void env_relocate_spec(void) { - char buf[CONFIG_ENV_SIZE]; + char *buf = env_buf; int ret; env_flash = spi_flash_probe(CONFIG_ENV_SPI_BUS, CONFIG_ENV_SPI_CS, |