From 60d7d5a63189c9f77a190c9965861dc15482c2d0 Mon Sep 17 00:00:00 2001 From: Rob Herring Date: Fri, 22 Mar 2013 11:26:21 +0000 Subject: env: fix potential stack overflow in environment functions Most of the various environment functions create CONFIG_ENV_SIZE buffers on the stack. At least on ARM and PPC which have 4KB stacks, this can overflow the stack if we have large environment sizes. So move all the buffers off the stack to static buffers. Signed-off-by: Rob Herring --- common/env_eeprom.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) (limited to 'common/env_eeprom.c') diff --git a/common/env_eeprom.c b/common/env_eeprom.c index 45c935b6d..b136f04eb 100644 --- a/common/env_eeprom.c +++ b/common/env_eeprom.c @@ -38,6 +38,7 @@ DECLARE_GLOBAL_DATA_PTR; env_t *env_ptr; +static char env_buf[CONFIG_ENV_SIZE]; char *env_name_spec = "EEPROM"; int env_eeprom_bus = -1; @@ -111,7 +112,7 @@ uchar env_get_char_spec(int index) void env_relocate_spec(void) { - char buf[CONFIG_ENV_SIZE]; + char *buf = env_buf; unsigned int off = CONFIG_ENV_OFFSET; #ifdef CONFIG_ENV_OFFSET_REDUND @@ -126,7 +127,7 @@ void env_relocate_spec(void) int saveenv(void) { - env_t env_new; + env_t *env_new = (env_t *)env_buf; ssize_t len; char *res; int rc; @@ -138,13 +139,13 @@ int saveenv(void) BUG_ON(env_ptr != NULL); - res = (char *)&env_new.data; + res = (char *)env_new->data; len = hexport_r(&env_htab, '\0', 0, &res, ENV_SIZE, 0, NULL); if (len < 0) { error("Cannot export environment: errno = %d\n", errno); return 1; } - env_new.crc = crc32(0, env_new.data, ENV_SIZE); + env_new->crc = crc32(0, env_new->data, ENV_SIZE); #ifdef CONFIG_ENV_OFFSET_REDUND if (gd->env_valid == 1) { @@ -152,11 +153,11 @@ int saveenv(void) off_red = CONFIG_ENV_OFFSET; } - env_new.flags = ACTIVE_FLAG; + env_new->flags = ACTIVE_FLAG; #endif rc = eeprom_bus_write(CONFIG_SYS_DEF_EEPROM_ADDR, - off, (uchar *)&env_new, CONFIG_ENV_SIZE); + off, (uchar *)env_new, CONFIG_ENV_SIZE); #ifdef CONFIG_ENV_OFFSET_REDUND if (rc == 0) { -- cgit v1.2.3-70-g09d2