ixp4xx: Don't overwrite memory in wg302v1_fixup()

wg302v1_fixup() looks for the ATAG_CMDLINE atag, it doesn't find it and
so it takes the last atag in the list and overwrites non allocated
memory.

The side effects are corrupted vital data and a kernel that doesn't
boot. More details here https://dev.openwrt.org/ticket/18356

The fix appends the fixup to the command line and updates the atag only
when it finds it.

Signed-off-by: Gianluca Anzolin <gianluca@sottospazio.it>

SVN-Revision: 43320
lede-17.01
John Crispin 2014-11-19 14:09:19 +00:00
parent da5001475c
commit 83381c5c8f
1 changed files with 12 additions and 12 deletions

View File

@ -11,6 +11,7 @@
+{
+ struct tag *t = tags;
+ char *p = *cmdline;
+ size_t fixlen, cmdlen;
+
+ /* Find the end of the tags table, taking note of any cmdline tag. */
+ for (; t->hdr.size; t = tag_next(t)) {
@ -19,18 +20,17 @@
+ }
+ }
+
+ /* Overwrite the end of the table with a new cmdline tag. */
+ t->hdr.tag = ATAG_CMDLINE;
+ t->hdr.size = (sizeof (struct tag_header) +
+ strlen(wg302v1_mem_fixup) + strlen(p) + 1 + 4) >> 2;
+ strlcpy(t->u.cmdline.cmdline, wg302v1_mem_fixup, COMMAND_LINE_SIZE);
+ strlcpy(t->u.cmdline.cmdline + strlen(wg302v1_mem_fixup), p,
+ COMMAND_LINE_SIZE - strlen(wg302v1_mem_fixup));
+ fixlen = strlen(wg302v1_mem_fixup);
+ cmdlen = strlen(p);
+ if (fixlen + cmdlen >= COMMAND_LINE_SIZE)
+ return;
+
+ /* Terminate the table. */
+ t = tag_next(t);
+ t->hdr.tag = ATAG_NONE;
+ t->hdr.size = 0;
+ /* append the fixup to the cmdline */
+ memmove(p + cmdlen, wg302v1_mem_fixup, fixlen + 1);
+
+ /* Adjust the size of the atag if there was one */
+ if (t->hdr.size)
+ t->hdr.size += fixlen;
+}
+
static void __init wg302v1_init(void)