[PATCH] env: Crash in 'env import' when using checksum and a specific size

Pedro Aguilar Mon, 31 Aug 2020 04:03:37 -0700

This patch adds a sanity check that avoids 'size' to overflow and crash when
importing an environment that contains a checksum. Example with the wrong size
that causes the crash:


=> env import -c 0x4100000 3 v1

This assumes that v1 has already been successfully exported with
'env export -c -s 0x100 0x4100000 v1'

Signed-off-by: Pedro Aguilar <pedro.agui...@vimar.com>
---
 cmd/nvedit.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/cmd/nvedit.c b/cmd/nvedit.c
index d188c6aa6b..9f145dd284 100644
--- a/cmd/nvedit.c
+++ b/cmd/nvedit.c
@@ -1171,6 +1171,11 @@ static int do_env_import(struct cmd_tbl *cmdtp, int flag,
                uint32_t crc;
                env_t *ep = (env_t *)ptr;
 
+               if (size <= offsetof(env_t, data)) {
+                       printf("## Error: Invalid size 0x%zX\n", size);
+                       return 1;
+               }
+
                size -= offsetof(env_t, data);
                memcpy(&crc, &ep->crc, sizeof(crc));
 
-- 
2.25.1

[PATCH] env: Crash in 'env import' when using checksum and a specific size

Reply via email to