Menu
▾
▴
[Powerpc-utils-devel] [PATCH] nvram: fix memory corruption when nvram->nbytes is less than actual nvram size
|
From: Tyrel D. <ty...@li...> - 2014-06-23 20:32:14
|
The nvram_read function always calls read with a 512 byte chunk size. If the
actual nvram size is greater than nvram->nbytes, which can be overriden by the
--nvram-size option, the allocated read buffer will be overrun.
Fixed read logic to only read upto nvram->nbytes of data.
Signed-off-by: Tyrel Datwyler <ty...@us...>
---
src/nvram.c | 17 +++++++++--------
src/nvram.h | 1 +
2 files changed, 10 insertions(+), 8 deletions(-)
diff --git a/src/nvram.c b/src/nvram.c
index f3701e9..73449c1 100644
--- a/src/nvram.c
+++ b/src/nvram.c
@@ -205,17 +205,18 @@ warn_msg(const char *fmt, ...)
int
nvram_read(struct nvram *nvram)
{
- int len, remaining;
+ int len, remaining, chunk;
char *p;
/* read in small chunks */
- for (p = nvram->data, remaining = nvram->nbytes;
- (len = read(nvram->fd, p, 512)) > 0;
- p += len, remaining -= len) {
- if (remaining <= 0) {
- remaining = 0;
- break;
- }
+ p = nvram->data;
+ remaining = nvram->nbytes;
+ chunk = (NVRAM_READ_SIZE < remaining) ? NVRAM_READ_SIZE : remaining;
+
+ while ((len = read(nvram->fd, p, chunk)) > 0) {
+ p+=len;
+ remaining -= len;
+ chunk = (NVRAM_READ_SIZE < remaining) ? NVRAM_READ_SIZE : remaining;
}
if (len == -1) {
diff --git a/src/nvram.h b/src/nvram.h
index c5036e9..b4961fe 100644
--- a/src/nvram.h
+++ b/src/nvram.h
@@ -31,6 +31,7 @@
#define printmap(ch) (isgraph(ch) ? (ch) : '.')
#define NVRAM_BLOCK_SIZE 16
+#define NVRAM_READ_SIZE 512
#define NVRAM_FILENAME1 "/dev/nvram"
#define NVRAM_FILENAME2 "/dev/misc/nvram"
--
1.8.5.2
|
