bootm: Avoid 256-byte overflow in fixup_silent_linux()

This makes fixup_silent_linux() use malloc() to allocate its
working space, meaning that our maximum kernel command line
should only be limited by malloc().  Previously it was silently
overflowing the stack.

Note that nothing about this change increases the kernel's maximum
command line length.  If you have a command line that is >256
bytes it's up to you to make sure that kernel can handle it.

Signed-off-by: Doug Anderson <dianders@chromium.org>
Acked-by: Mike Frysinger <vapier@gentoo.org>

diff --git a/common/cmd_bootm.c b/common/cmd_bootm.c
index dd6cafaa87c41c54142504d28b8ea7c5a7957e65..15f4599d45f28f5f005403abb9908c8cd07e0317 100644 (file)
--- a/common/cmd_bootm.c
+++ b/common/cmd_bootm.c
@@ -1423,9 +1423,14 @@ U_BOOT_CMD(
 /* helper routines */
 /*******************************************************************/
 #if defined(CONFIG_SILENT_CONSOLE) && !defined(CONFIG_SILENT_U_BOOT_ONLY)
+
+#define CONSOLE_ARG     "console="
+#define CONSOLE_ARG_LEN (sizeof(CONSOLE_ARG) - 1)
+
 static void fixup_silent_linux(void)
 {
-       char buf[256], *start, *end;
+       char *buf;
+       const char *env_val;
        char *cmdline = getenv("bootargs");
 
        /* Only fix cmdline when requested */
@@ -1433,25 +1438,37 @@ static void fixup_silent_linux(void)
                return;
 
        debug("before silent fix-up: %s\n", cmdline);
-       if (cmdline) {
-               start = strstr(cmdline, "console=");
+       if (cmdline && (cmdline[0] != '\0')) {
+               char *start = strstr(cmdline, CONSOLE_ARG);
+
+               /* Allocate space for maximum possible new command line */
+               buf = malloc(strlen(cmdline) + 1 + CONSOLE_ARG_LEN + 1);
+               if (!buf) {
+                       debug("%s: out of memory\n", __func__);
+                       return;
+               }
+
                if (start) {
-                       end = strchr(start, ' ');
-                       strncpy(buf, cmdline, (start - cmdline + 8));
+                       char *end = strchr(start, ' ');
+                       int num_start_bytes = start - cmdline + CONSOLE_ARG_LEN;
+
+                       strncpy(buf, cmdline, num_start_bytes);
                        if (end)
-                               strcpy(buf + (start - cmdline + 8), end);
+                               strcpy(buf + num_start_bytes, end);
                        else
-                               buf[start - cmdline + 8] = '\0';
+                               buf[num_start_bytes] = '\0';
                } else {
-                       strcpy(buf, cmdline);
-                       strcat(buf, " console=");
+                       sprintf(buf, "%s %s", cmdline, CONSOLE_ARG);
                }
+               env_val = buf;
        } else {
-               strcpy(buf, "console=");
+               buf = NULL;
+               env_val = CONSOLE_ARG;
        }
 
-       setenv("bootargs", buf);
-       debug("after silent fix-up: %s\n", buf);
+       setenv("bootargs", env_val);
+       debug("after silent fix-up: %s\n", env_val);
+       free(buf);
 }
 #endif /* CONFIG_SILENT_CONSOLE */