mirror of
https://source.denx.de/u-boot/u-boot.git
synced 2025-08-06 07:17:01 +02:00
89911825a2
As stated in DFU documentation [1], the device interface part might be
missing in dfu_alt_info:
dfu_alt_info
The DFU setting for the USB download gadget with a semicolon
separated string of information on each alternate:
dfu_alt_info="<alt1>;<alt2>;....;<altN>"
When several devices are used, the format is:
- <interface> <dev>'='alternate list (';' separated)
So in first case dfu_alt_info might look like something like this:
dfu_alt_info="mmc 0=rawemmc raw 0 0x747c000 mmcpart 1;"
And in second case (when the interface is missing):
dfu_alt_info="rawemmc raw 0 0x747c000 mmcpart 1;"
When the interface is not specified the 'dfu' command crashes when
called using 'dfu 0' or 'dfu list' syntax:
=> dfu list
"Synchronous Abort" handler, esr 0x96000006, far 0x0
That's happening due to incorrect string handling in
dfu_config_interfaces(). In case when the interface is not specified in
dfu_alt_info it triggers this corner case:
d = strsep(&s, "="); // now d contains s, and s is NULL
if (!d)
break;
a = strsep(&s, "&"); // s is already NULL, so a is NULL too
if (!a) // corner case
a = s; // a is NULL now
which causes NULL pointer dereference later in this call, due to 'a'
being NULL:
part = skip_spaces(part);
That's because as per strsep() behavior, when delimiter ("&") is not
found, the token (a) becomes the entire string (s), and string (s)
becomes NULL. To fix that issue assign "a = d" instead of "a = s",
because at that point variable d actually contains previous s, which
should be used in this case.
[1] doc/usage/dfu.rst
Fixes: commit
|
||
|---|---|---|
| .. | ||
| dfu_alt.c | ||
| dfu_mmc.c | ||
| dfu_mtd.c | ||
| dfu_nand.c | ||
| dfu_ram.c | ||
| dfu_scsi.c | ||
| dfu_sf.c | ||
| dfu_virt.c | ||
| dfu.c | ||
| Kconfig | ||
| Makefile | ||