On Sun, Aug 20, 2017 at 9:40 PM, Tom Rini trini@konsulko.com wrote:
In rpc_t we declare data to be a uint8_t of size 2048, for a final size of 2048. We also however declare the reply part of the union to have a uint32_t data field of NFS_READ_SIZE (1024) for a final size of 4096+24=4120 and an overrun. Expand the comment above the struct to note that if NFS_READ_SIZE is increased then the data buf must also be increased and correct the declaration to be uint8_t.
Reported-by: Coverity (CID: 152888) Cc: Joe Hershberger joe.hershberger@ni.com Signed-off-by: Tom Rini trini@konsulko.com
net/nfs.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/net/nfs.h b/net/nfs.h index 1aa06e8fb90f..b23b4088d825 100644 --- a/net/nfs.h +++ b/net/nfs.h @@ -39,8 +39,9 @@ /*
- Block size used for NFS read accesses. A RPC reply packet (including all
- headers) must fit within a single Ethernet frame to avoid fragmentation.
- However, if CONFIG_IP_DEFRAG is set, a bigger value could be used. In any
- case, most NFS servers are optimized for a power of 2.
- However, if CONFIG_IP_DEFRAG is set, a bigger value could be used, so long
- as rpc_t->u->data is incrased to match. In any case, most NFS servers are
*/
- optimized for a power of 2.
#define NFS_READ_SIZE 1024 /* biggest power of two that fits Ether frame */
@@ -73,7 +74,7 @@ struct rpc_t { uint32_t verifier; uint32_t v2; uint32_t astatus;
uint32_t data[NFS_READ_SIZE];
uint8_t data[NFS_READ_SIZE];
All of the pointer math would also need to be updated. Didn't notice that at first so,
Nacked-by: Joe Hershberger joe.hershberger@ni.com
} reply; } u;} __attribute__((packed));
1.9.1
U-Boot mailing list U-Boot@lists.denx.de https://lists.denx.de/listinfo/u-boot