9os

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE
commit 1b56501dec4558883add215690efc848e12729a8
parent 5fc3dd8d06971638cd2094374b9c397407b22cdc
Author: Roberto Vargas <roberto.vargas@arm.com>
Date:   Thu, 21 Feb 2019 13:51:01 +0000

[drivers] Fix buffer overflow in uart/ctl

Change-Id: I9e1f5841690c771eeff881089555199cd8337eae

Diffstat:

Mdrivers/dev.c | 2+-


Mdrivers/devuart.c | 16++++++++--------


Msrc/romfw/dlang.c | 2+-


3 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/drivers/dev.c b/drivers/dev.c
@@ -35,7 +35,7 @@ newchan(unsigned char type)
 static Chan *
 fd2chan(int fd)
 {
-	if (fd < 0 || fd >= NR_CHANS) {
+	if (fd < 0 || fd >= NR_CHANS || fdset[fd].type == NODEV) {
 		errno = EBADF;
 		return NULL;
 	}
diff --git a/drivers/devuart.c b/drivers/devuart.c
@@ -78,15 +78,13 @@ getuart(Chan *c)
 }
 
 static int
-uartstatus(Uart *up, void *buf, long long offset, int n)
+uartstatus(Uart *up, void *buf, Chan *c, int n)
 {
 	int len;
+	unsigned long long offset = c->offset;
 	struct uartstat st;
 	char tmp[UARTSTATUS];
 
-	if (offset >= UARTSTATUS)
-		return 0;
-
 	(*up->phy->status)(up, &st);
 
 	len = ksnprint(tmp, sizeof(tmp),
@@ -102,11 +100,13 @@ uartstatus(Uart *up, void *buf, long long offset, int n)
 	               up->nstop,
 	               up->fifo);
 
-	if (offset >= len)
+	if (n + offset >= len)
+		n = len - offset;
+
+	if (offset >= len || n == 0)
 		return 0;
 
-	if (n + offset >= len)
-		n = UARTSTATUS - offset;
+	c->offset += n;
 
 	memcpy(buf, tmp + offset, n);
 	return n;
@@ -232,7 +232,7 @@ uartread(Chan *c, void *buf, int n)
 		return (*up->phy->read)(up, buf, n);
 	case Qctl:
 		up = getuart(c);
-		return uartstatus(up, buf, c->offset, n);
+		return uartstatus(up, buf, c, n);
 	default:
 		panic("uartread");
 	}
diff --git a/src/romfw/dlang.c b/src/romfw/dlang.c
@@ -219,7 +219,7 @@ do_cat(const struct cmd *cmd, struct args *args)
 		return -1;
 
 	while ((n = read(fd, buf, sizeof(buf))) > 0)
-		kprint(PREFIX "%s\n", buf);
+		kprint(PREFIX "%s", buf);
 
 	if (close(fd) < 0 || n < 0)
 		return -1;