Sending of very small images (smaller than 128 bytes = xmodem block size) cause out-of-bound memory read access. Fix this issue by ensuring that hdrsz when sending image is not larger than total size of the image. Issue was introduced in commit f8017c37799c ("tools: kwboot: Fix sending Kirkwood v0 images"). Special case when total image is smaller than header size aligned to multiply of xmodem size is already handled since that commit.
Fixes: f8017c37799c ("tools: kwboot: Fix sending Kirkwood v0 images") Signed-off-by: Pali Rohár pali@kernel.org --- tools/kwboot.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/tools/kwboot.c b/tools/kwboot.c index 23a893a9b9f8..1cf78dda6755 100644 --- a/tools/kwboot.c +++ b/tools/kwboot.c @@ -1458,6 +1458,8 @@ kwboot_xmodem(int tty, const void *_img, size_t size, int baudrate) * followed by the header. So align header size to xmodem block size. */ hdrsz += (KWBOOT_XM_BLKSZ - hdrsz % KWBOOT_XM_BLKSZ) % KWBOOT_XM_BLKSZ; + if (hdrsz > size) + hdrsz = size;
pnum = 1;