misc-utils: flashcp: fix buffer overflow

The DIFF_BLOCKS code requires that src and dest buffers be large enough
to hold one MTD erasesize. This is because each loop operates on one
eraseblock so that it can erase and write one whole sector. But the src
and dest buffers are fixed at BUFSIZE, so on platforms where the MTD
erasesize are larger then BUFSIZE it will overflow the buffers.

Instead allocate the buffers dynamically so that they can be sized to
fit the erasesize.

Signed-off-by: Brandon Maier <brandon.maier@collins.com>
Signed-off-by: David Oberhollenzer <david.oberhollenzer@sigma-star.at>

diff --git a/misc-utils/flashcp.c b/misc-utils/flashcp.c
index 9e92fa2bfa8ccc311ecc01f0e1b2fdda06cf03ad..1dc0877b7b86ed2a902bce5a8afb18016e7bd900 100644 (file)
--- a/misc-utils/flashcp.c
+++ b/misc-utils/flashcp.c
@@ -57,9 +57,6 @@
 #define KB(x) ((x) / 1024)
 #define PERCENTAGE(x,total) (((x) * 100) / (total))
 
-/* size of read/write buffer */
-#define BUFSIZE (10 * 1024)
-
 /* cmd-line flags */
 #define FLAG_NONE              0x00
 #define FLAG_HELP              0x02
@@ -222,7 +219,7 @@ int main (int argc,char *argv[])
        struct mtd_info_user mtd;
        struct erase_info_user erase;
        struct stat filestat;
-       unsigned char src[BUFSIZE],dest[BUFSIZE];
+       unsigned char *src,*dest;
 
        /*********************
         * parse cmd-line
@@ -304,6 +301,14 @@ int main (int argc,char *argv[])
        if (filestat.st_size > mtd.size)
                log_failure("%s won't fit into %s!\n",filename,device);
 
+       src = malloc(mtd.erasesize);
+       if (!src)
+               log_failure("Malloc failed");
+
+       dest = malloc(mtd.erasesize);
+       if (!dest)
+               log_failure("Malloc failed");
+
        /* diff block flashcp */
        if (flags & FLAG_PARTITION)
        {
@@ -355,11 +360,11 @@ int main (int argc,char *argv[])
 
        log_verbose ("Writing data: 0k/%lluk (0%%)",KB ((unsigned long long)filestat.st_size));
        size = filestat.st_size;
-       i = BUFSIZE;
+       i = mtd.erasesize;
        written = 0;
        while (size)
        {
-               if (size < BUFSIZE) i = size;
+               if (size < mtd.erasesize) i = size;
                log_verbose ("\rWriting data: %dk/%lluk (%llu%%)",
                                KB (written + i),
                                KB ((unsigned long long)filestat.st_size),
@@ -386,12 +391,12 @@ int main (int argc,char *argv[])
        safe_rewind (fil_fd,filename);
        safe_rewind (dev_fd,device);
        size = filestat.st_size;
-       i = BUFSIZE;
+       i = mtd.erasesize;
        written = 0;
        log_verbose ("Verifying data: 0k/%lluk (0%%)",KB ((unsigned long long)filestat.st_size));
        while (size)
        {
-               if (size < BUFSIZE) i = size;
+               if (size < mtd.erasesize) i = size;
                log_verbose ("\rVerifying data: %luk/%lluk (%llu%%)",
                                KB (written + i),
                                KB ((unsigned long long)filestat.st_size),