Skip to content

Commit 4c28df1

Browse files
Ham22Ham22
committed
mkimage: fit: check cmd string for buffer overflow
When generating the command to create the fit image the inputs are file paths which can overflow the buffer. snprintf was being used to avoid the overflow itself but nothing actually checks if a truncation occured giving unexpected filenames causing following stages to fail. Therefore add some checks before attempting to run the command. Additionally have bumped up the size of the buffer as the current inputs can easily get truncated with long paths. Signed-off-by: Ian Pozella <[email protected]>
1 parent fc825de commit 4c28df1

File tree

2 files changed

+9
-5
lines changed

2 files changed

+9
-5
lines changed

tools/fit_image.c

+8-4
Original file line numberDiff line numberDiff line change
@@ -96,7 +96,7 @@ static int fit_handle_file(struct image_tool_params *params)
9696
if (strlen (params->imagefile) +
9797
strlen (MKIMAGE_TMPFILE_SUFFIX) + 1 > sizeof (tmpfile)) {
9898
fprintf (stderr, "%s: Image file name (%s) too long, "
99-
"can't create tmpfile",
99+
"can't create tmpfile\n",
100100
params->imagefile, params->cmdname);
101101
return (EXIT_FAILURE);
102102
}
@@ -105,13 +105,17 @@ static int fit_handle_file(struct image_tool_params *params)
105105
/* We either compile the source file, or use the existing FIT image */
106106
if (params->datafile) {
107107
/* dtc -I dts -O dtb -p 500 datafile > tmpfile */
108-
snprintf(cmd, sizeof(cmd), "%s %s %s > %s",
108+
ret = snprintf(cmd, sizeof(cmd), "%s %s %s > %s",
109109
MKIMAGE_DTC, params->dtc, params->datafile, tmpfile);
110-
debug("Trying to execute \"%s\"\n", cmd);
111110
} else {
112-
snprintf(cmd, sizeof(cmd), "cp %s %s",
111+
ret = snprintf(cmd, sizeof(cmd), "cp %s %s",
113112
params->imagefile, tmpfile);
114113
}
114+
debug("Trying to execute \"%s\"\n", cmd);
115+
if (ret >= sizeof(cmd)) {
116+
fprintf (stderr, "Command too long, can't create fit image\n");
117+
return (EXIT_FAILURE);
118+
}
115119
if (system (cmd) == -1) {
116120
fprintf (stderr, "%s: system(%s) failed: %s\n",
117121
params->cmdname, cmd, strerror(errno));

tools/mkimage.h

+1-1
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,7 @@ static inline ulong map_to_sysmem(void *ptr)
4343
#define MKIMAGE_TMPFILE_SUFFIX ".tmp"
4444
#define MKIMAGE_MAX_TMPFILE_LEN 256
4545
#define MKIMAGE_DEFAULT_DTC_OPTIONS "-I dts -O dtb -p 500"
46-
#define MKIMAGE_MAX_DTC_CMDLINE_LEN 512
46+
#define MKIMAGE_MAX_DTC_CMDLINE_LEN 1024
4747
#define MKIMAGE_DTC "dtc" /* assume dtc is in $PATH */
4848

4949
#endif /* _MKIIMAGE_H_ */

0 commit comments

Comments
 (0)