On Tue, Aug 03, 2021 at 04:28:38PM +0200, Pali Rohár wrote: > Variable xyz.len is set to -1 on error. At the end xyzModem_stream_read() > function calls memcpy() with length from variable xyz.len. If this variable > is set to -1 then value passed to memcpy is casted to unsigned value, which > means to copy whole address space. Which then cause U-Boot crash. E.g. on > arm64 it cause CPU crash: "Synchronous Abort" handler, esr 0x96000006 > > Fix this issue by checking that value stored in xyz.len is valid prior > trying to use it. > > Signed-off-by: Pali Rohár <p...@kernel.org> > Acked-by: Heinrich Schuchardt <heinrich.schucha...@canonical.com>
With a quick X/Y modem test boot on am335x_evm: For the series, applied to u-boot/next, thanks! -- Tom
signature.asc
Description: PGP signature
