mirror of https://github.com/hak5/openwrt.git
ixp4xx: Don't overwrite memory in wg302v1_fixup()
wg302v1_fixup() looks for the ATAG_CMDLINE atag, it doesn't find it and so it takes the last atag in the list and overwrites non allocated memory. The side effects are corrupted vital data and a kernel that doesn't boot. More details here https://dev.openwrt.org/ticket/18356 The fix appends the fixup to the command line and updates the atag only when it finds it. Signed-off-by: Gianluca Anzolin <gianluca@sottospazio.it> SVN-Revision: 43320lede-17.01
parent
da5001475c
commit
83381c5c8f
|
@ -11,6 +11,7 @@
|
|||
+{
|
||||
+ struct tag *t = tags;
|
||||
+ char *p = *cmdline;
|
||||
+ size_t fixlen, cmdlen;
|
||||
+
|
||||
+ /* Find the end of the tags table, taking note of any cmdline tag. */
|
||||
+ for (; t->hdr.size; t = tag_next(t)) {
|
||||
|
@ -19,18 +20,17 @@
|
|||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* Overwrite the end of the table with a new cmdline tag. */
|
||||
+ t->hdr.tag = ATAG_CMDLINE;
|
||||
+ t->hdr.size = (sizeof (struct tag_header) +
|
||||
+ strlen(wg302v1_mem_fixup) + strlen(p) + 1 + 4) >> 2;
|
||||
+ strlcpy(t->u.cmdline.cmdline, wg302v1_mem_fixup, COMMAND_LINE_SIZE);
|
||||
+ strlcpy(t->u.cmdline.cmdline + strlen(wg302v1_mem_fixup), p,
|
||||
+ COMMAND_LINE_SIZE - strlen(wg302v1_mem_fixup));
|
||||
+ fixlen = strlen(wg302v1_mem_fixup);
|
||||
+ cmdlen = strlen(p);
|
||||
+ if (fixlen + cmdlen >= COMMAND_LINE_SIZE)
|
||||
+ return;
|
||||
+
|
||||
+ /* Terminate the table. */
|
||||
+ t = tag_next(t);
|
||||
+ t->hdr.tag = ATAG_NONE;
|
||||
+ t->hdr.size = 0;
|
||||
+ /* append the fixup to the cmdline */
|
||||
+ memmove(p + cmdlen, wg302v1_mem_fixup, fixlen + 1);
|
||||
+
|
||||
+ /* Adjust the size of the atag if there was one */
|
||||
+ if (t->hdr.size)
|
||||
+ t->hdr.size += fixlen;
|
||||
+}
|
||||
+
|
||||
static void __init wg302v1_init(void)
|
||||
|
|
Loading…
Reference in New Issue