Passing a too large size or offset to erase could affect flash outside the partition boundary. Addresses for SPI flash wrap around, thus giving a count + offset going past the end of the flash would wrap around and erase flash at offset 0. Add the same check for protect. Signed-off-by: Johannes Stezenbach <js@xxxxxxxxx> --- fs/fs.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/fs/fs.c b/fs/fs.c index 9cda1d9..af73c8c 100644 --- a/fs/fs.c +++ b/fs/fs.c @@ -751,14 +751,13 @@ int erase(int fd, size_t count, unsigned long offset) if (check_fd(fd)) return -errno; + if (offset >= f->size) + return 0; + if (count > f->size - offset) + count = f->size - offset; dev = f->dev; - fsdrv = dev_to_fs_driver(dev); - - if (f->pos + count > f->size) - count = f->size - f->pos; - if (fsdrv->erase) ret = fsdrv->erase(dev, f, count, offset); else @@ -780,14 +779,13 @@ int protect(int fd, size_t count, unsigned long offset, int prot) if (check_fd(fd)) return -errno; + if (offset >= f->size) + return 0; + if (count > f->size - offset) + count = f->size - offset; dev = f->dev; - fsdrv = dev_to_fs_driver(dev); - - if (f->pos + count > f->size) - count = f->size - f->pos; - if (fsdrv->protect) ret = fsdrv->protect(dev, f, count, offset, prot); else -- 1.7.10 _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox
