Re: [Powerpc-utils-devel] [PATCH] nvram: fix memory corruption when nvram->nbytes is less than actual nvram size

[Nathan F. <nf...@li...>]

On 06/23/2014 03:31 PM, Tyrel Datwyler wrote:
> The nvram_read function always calls read with a 512 byte chunk size. If the
> actual nvram size is greater than nvram->nbytes, which can be overriden by the
> --nvram-size option, the allocated read buffer will be overrun.
> 
> Fixed read logic to only read upto nvram->nbytes of data.
> 
> Signed-off-by: Tyrel Datwyler <ty...@us...>
> ---
>  src/nvram.c | 17 +++++++++--------
>  src/nvram.h |  1 +
>  2 files changed, 10 insertions(+), 8 deletions(-)
> 
> diff --git a/src/nvram.c b/src/nvram.c
> index f3701e9..73449c1 100644
> --- a/src/nvram.c
> +++ b/src/nvram.c
> @@ -205,17 +205,18 @@ warn_msg(const char *fmt, ...)
>  int 
>  nvram_read(struct nvram *nvram)
>  {
> -    int len, remaining;
> +    int len, remaining, chunk;
>      char *p;
> 
>      /* read in small chunks */
> -    for (p = nvram->data, remaining = nvram->nbytes;
> -           (len = read(nvram->fd, p, 512)) > 0;
> -           p += len, remaining -= len) {
> -           if (remaining <= 0) {
> -               remaining = 0;
> -               break;
> -           }
> +    p = nvram->data;
> +    remaining = nvram->nbytes;
> +    chunk = (NVRAM_READ_SIZE < remaining) ? NVRAM_READ_SIZE : remaining;
> +
> +    while ((len = read(nvram->fd, p, chunk)) > 0) {
> +        p+=len;

Tiny nit. spaces.

Can be cleaned up on commit

-Nathan

> +        remaining -= len;
> +        chunk = (NVRAM_READ_SIZE < remaining) ? NVRAM_READ_SIZE : remaining;
>      }
> 
>      if (len == -1) {
> diff --git a/src/nvram.h b/src/nvram.h
> index c5036e9..b4961fe 100644
> --- a/src/nvram.h
> +++ b/src/nvram.h
> @@ -31,6 +31,7 @@
>  #define printmap(ch)	(isgraph(ch) ? (ch) : '.')
> 
>  #define NVRAM_BLOCK_SIZE	16
> +#define NVRAM_READ_SIZE		512
>  #define NVRAM_FILENAME1		"/dev/nvram"
>  #define NVRAM_FILENAME2		"/dev/misc/nvram"
>