mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH 1/2] image-sparse: change retlen to size_t
@ 2021-01-11 10:32 Steffen Trumtrar
  2021-01-11 10:32 ` [PATCH 2/2] image-sparse: change chunk_data_sz to u64 Steffen Trumtrar
  2021-01-13  9:03 ` [PATCH 1/2] image-sparse: change retlen to size_t Sascha Hauer
  0 siblings, 2 replies; 3+ messages in thread
From: Steffen Trumtrar @ 2021-01-11 10:32 UTC (permalink / raw)
  To: barebox; +Cc: Steffen Trumtrar

retlen can potentially overflow. Also, write_full() in
fastboot_handle_sparse() expects size_t anyway.

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
 common/fastboot.c      | 2 +-
 include/image-sparse.h | 2 +-
 lib/image-sparse.c     | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/common/fastboot.c b/common/fastboot.c
index 1b6dc28d8e..40b92d9982 100644
--- a/common/fastboot.c
+++ b/common/fastboot.c
@@ -566,7 +566,7 @@ static int fastboot_handle_sparse(struct fastboot *fb,
 	}
 
 	while (1) {
-		int retlen;
+		size_t retlen;
 		loff_t pos;
 
 		ret = sparse_image_read(sparse, buf, &pos, bufsiz, &retlen);
diff --git a/include/image-sparse.h b/include/image-sparse.h
index 29242f4fd5..6bff844411 100644
--- a/include/image-sparse.h
+++ b/include/image-sparse.h
@@ -60,7 +60,7 @@ struct sparse_image_ctx;
 
 struct sparse_image_ctx *sparse_image_open(const char *path);
 int sparse_image_read(struct sparse_image_ctx *si, void *buf,
-		      loff_t *pos, size_t len, int *retlen);
+		      loff_t *pos, size_t len, size_t *retlen);
 void sparse_image_close(struct sparse_image_ctx *si);
 loff_t sparse_image_size(struct sparse_image_ctx *si);
 
diff --git a/lib/image-sparse.c b/lib/image-sparse.c
index 0c31742ab6..8e7a52fd71 100644
--- a/lib/image-sparse.c
+++ b/lib/image-sparse.c
@@ -190,7 +190,7 @@ out:
 }
 
 int sparse_image_read(struct sparse_image_ctx *si, void *buf, loff_t *pos,
-		      size_t len, int *retlen)
+		      size_t len, size_t *retlen)
 {
 	size_t now;
 	int ret, i;
-- 
2.20.1


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [PATCH 2/2] image-sparse: change chunk_data_sz to u64
  2021-01-11 10:32 [PATCH 1/2] image-sparse: change retlen to size_t Steffen Trumtrar
@ 2021-01-11 10:32 ` Steffen Trumtrar
  2021-01-13  9:03 ` [PATCH 1/2] image-sparse: change retlen to size_t Sascha Hauer
  1 sibling, 0 replies; 3+ messages in thread
From: Steffen Trumtrar @ 2021-01-11 10:32 UTC (permalink / raw)
  To: barebox; +Cc: Steffen Trumtrar

chunk_data_sz is set to the result of a __le32 * __le32 multiplication:

  chunk_data_sz = si->sparse.blk_sz * si->chunk.chunk_sz;

This will overflow.

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
---
 lib/image-sparse.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/image-sparse.c b/lib/image-sparse.c
index 8e7a52fd71..c375c78d63 100644
--- a/lib/image-sparse.c
+++ b/lib/image-sparse.c
@@ -62,7 +62,8 @@ struct sparse_image_ctx {
 
 static int sparse_seek(struct sparse_image_ctx *si)
 {
-	unsigned int chunk_data_sz, payload;
+	uint64_t chunk_data_sz;
+	unsigned int payload;
 	loff_t offs;
 	int ret;
 
@@ -94,7 +95,7 @@ again:
 			return -errno;
 	}
 
-	chunk_data_sz = si->sparse.blk_sz * si->chunk.chunk_sz;
+	chunk_data_sz = (uint64_t) si->sparse.blk_sz * si->chunk.chunk_sz;
 	payload = si->chunk.total_sz - si->sparse.chunk_hdr_sz;
 
 	si->processed_chunks++;
-- 
2.20.1


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH 1/2] image-sparse: change retlen to size_t
  2021-01-11 10:32 [PATCH 1/2] image-sparse: change retlen to size_t Steffen Trumtrar
  2021-01-11 10:32 ` [PATCH 2/2] image-sparse: change chunk_data_sz to u64 Steffen Trumtrar
@ 2021-01-13  9:03 ` Sascha Hauer
  1 sibling, 0 replies; 3+ messages in thread
From: Sascha Hauer @ 2021-01-13  9:03 UTC (permalink / raw)
  To: Steffen Trumtrar; +Cc: barebox

On Mon, Jan 11, 2021 at 11:32:04AM +0100, Steffen Trumtrar wrote:
> retlen can potentially overflow. Also, write_full() in
> fastboot_handle_sparse() expects size_t anyway.
> 
> Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
> ---
>  common/fastboot.c      | 2 +-
>  include/image-sparse.h | 2 +-
>  lib/image-sparse.c     | 2 +-
>  3 files changed, 3 insertions(+), 3 deletions(-)

Applied to master, thanks

Sascha

> 
> diff --git a/common/fastboot.c b/common/fastboot.c
> index 1b6dc28d8e..40b92d9982 100644
> --- a/common/fastboot.c
> +++ b/common/fastboot.c
> @@ -566,7 +566,7 @@ static int fastboot_handle_sparse(struct fastboot *fb,
>  	}
>  
>  	while (1) {
> -		int retlen;
> +		size_t retlen;
>  		loff_t pos;
>  
>  		ret = sparse_image_read(sparse, buf, &pos, bufsiz, &retlen);
> diff --git a/include/image-sparse.h b/include/image-sparse.h
> index 29242f4fd5..6bff844411 100644
> --- a/include/image-sparse.h
> +++ b/include/image-sparse.h
> @@ -60,7 +60,7 @@ struct sparse_image_ctx;
>  
>  struct sparse_image_ctx *sparse_image_open(const char *path);
>  int sparse_image_read(struct sparse_image_ctx *si, void *buf,
> -		      loff_t *pos, size_t len, int *retlen);
> +		      loff_t *pos, size_t len, size_t *retlen);
>  void sparse_image_close(struct sparse_image_ctx *si);
>  loff_t sparse_image_size(struct sparse_image_ctx *si);
>  
> diff --git a/lib/image-sparse.c b/lib/image-sparse.c
> index 0c31742ab6..8e7a52fd71 100644
> --- a/lib/image-sparse.c
> +++ b/lib/image-sparse.c
> @@ -190,7 +190,7 @@ out:
>  }
>  
>  int sparse_image_read(struct sparse_image_ctx *si, void *buf, loff_t *pos,
> -		      size_t len, int *retlen)
> +		      size_t len, size_t *retlen)
>  {
>  	size_t now;
>  	int ret, i;
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-01-13  9:03 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-11 10:32 [PATCH 1/2] image-sparse: change retlen to size_t Steffen Trumtrar
2021-01-11 10:32 ` [PATCH 2/2] image-sparse: change chunk_data_sz to u64 Steffen Trumtrar
2021-01-13  9:03 ` [PATCH 1/2] image-sparse: change retlen to size_t Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox