Project

General

Profile

Actions
Copy link

Bug #408

closed

Bug #438: Release v1.4

flashbuses_to_text() may crash flashrom

Added by Alexander Goncharov over 2 years ago. Updated over 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Alexander Goncharov
Category:
-
Target version:
none
Start date:
08/22/2022
Due date:
% Done:

0%

Estimated time:
Affected versions:
Needs backport to:
Affected hardware:
Affected OS:

Description

See the provided comments in the function code towards the end.

/*
 * Return a string corresponding to the bustype parameter.
 * Memory is obtained with malloc() and must be freed with free() by the caller.
 */
char *flashbuses_to_text(enum chipbustype bustype)
{
    char *ret = calloc(1, 1);
    /*
     * FIXME: Once all chipsets and flash chips have been updated, NONSPI
     * will cease to exist and should be eliminated here as well.
     */
    if (bustype == BUS_NONSPI) {
        ret = strcat_realloc(ret, "Non-SPI, ");
    } else {
        if (bustype & BUS_PARALLEL)
            ret = strcat_realloc(ret, "Parallel, ");
        if (bustype & BUS_LPC)
            ret = strcat_realloc(ret, "LPC, ");
        if (bustype & BUS_FWH)
            ret = strcat_realloc(ret, "FWH, ");
        if (bustype & BUS_SPI)
            ret = strcat_realloc(ret, "SPI, ");
        if (bustype & BUS_PROG)
            ret = strcat_realloc(ret, "Programmer-specific, ");
        if (bustype == BUS_NONE)
            ret = strcat_realloc(ret, "None, ");
    }
    // BUG:
    // If ret == NULL right now, then flashrom will crash.
    // strlen(ret) will cause a segmentation fault.

    /* Kill last comma. */
    ret[strlen(ret) - 2] = '\0';
    ret = realloc(ret, strlen(ret) + 1);
    return ret;
}
Actions
Copy link

Also available in: Atom PDF