From a6ef73359c0e0537ebf83795ebacbbfaee2c9c28 Mon Sep 17 00:00:00 2001
From: pancake <pancake@flubox>
Date: Fri, 19 Dec 2008 19:39:27 +0100
Subject: * Apply security patches from Erik Hovland - Thanks!

---
 src/dump.c          |  8 ++++----
 src/fiasco.c        |  2 +-
 src/fpid.c          |  7 ++++++-
 src/hash.c          |  4 +++-
 src/qmode.c         | 49 ++++++++++++++++++++++---------------------------
 src/squeue/squeue.c |  7 ++++++-
 6 files changed, 42 insertions(+), 35 deletions(-)

(limited to 'src')

diff --git a/src/dump.c b/src/dump.c
index e102ce9..3f15fce 100644
--- a/src/dump.c
+++ b/src/dump.c
@@ -69,17 +69,14 @@ __rf_extract_exit:
  * This function was covardly copied from nanddump.c @ mtd-utils-20060907
  */
 #define _GNU_SOURCE
-#include <ctype.h>
 #include <errno.h>
 #include <fcntl.h>
 #include <stdio.h>
 #include <stdlib.h>
-#include <string.h>
 #include <unistd.h>
 #include <getopt.h>
 #include <sys/ioctl.h>
 #include <sys/types.h>
-#include <sys/stat.h>
 //#include <asm/types.h>
 #include <mtd/mtd-user.h>
 #ifndef loff_t
@@ -171,6 +168,9 @@ int check_badblocks(char *mtddev)
 		return 1;
 	}
 
+	memset(&stat1, 0, sizeof(stat1));
+	memset(&stat2, 0, sizeof(stat2));
+
         fprintf(stderr, "Block size %u, page size %u, OOB size %u\n",
                 meminfo.erasesize, meminfo.writesize, meminfo.oobsize);
         fprintf(stderr, "Size %u, flags %u, type 0x%x\n",
@@ -498,7 +498,7 @@ int dump_config()
 			break;
 		if (!memcmp(buf,"ConF", 4)) {
 		loop:
-			read(fd, buf, 4);
+			ret = read(fd, buf, 4);
 			if (ret == -1) break;
 			printf("\n0x%08x : ConF %02x %02x %02x %02x : ", i,
 				buf[0], buf[1], buf[2], buf[3]);
diff --git a/src/fiasco.c b/src/fiasco.c
index 3e9da9f..cb27b10 100644
--- a/src/fiasco.c
+++ b/src/fiasco.c
@@ -62,7 +62,7 @@ int openfiasco(char *name, char *piece_grep, int v)
 	read(header.fd, buf, namelen);
 
 	if (v) printf("Fiasco version: %2d\n", buf[3]);
-	strcpy(header.fwname, (char *)buf+6);
+	strncpy(header.fwname, (char *)buf+6, sizeof(header.fwname) - 1);
 	if (v)
 	for(i=6;i<namelen;i+=strlen((char *)(buf+i))+1)
 		printf("Name: %s\n", buf+i);
diff --git a/src/fpid.c b/src/fpid.c
index f36b758..7387855 100644
--- a/src/fpid.c
+++ b/src/fpid.c
@@ -37,7 +37,12 @@ long fpid_size(const char *filename)
 {
 	long sz;
 	FILE *fd = fopen(filename, "r");
-	fseek(fd, 0, SEEK_END);
+	if (fd == NULL)
+		return -1;
+	if (fseek(fd, 0, SEEK_END) != 0) {
+		fclose(fd);
+		return -1;
+	}
 	sz = ftell(fd);
 	fclose(fd);
 	return sz;
diff --git a/src/hash.c b/src/hash.c
index 77b4159..d4ad607 100644
--- a/src/hash.c
+++ b/src/hash.c
@@ -40,8 +40,10 @@ usho do_hash_file(const char *filename)
 	}
 
 	do {	ret   = fread(&buf, 1, BSIZE, fd);
-		if (ret == -1)
+		if (ret == -1) {
+			fclose(fd);
 			return 0;
+		}
 		hash ^= do_hash((usho *)&buf, ret);
 	} while(ret);
 
diff --git a/src/qmode.c b/src/qmode.c
index d8c22db..cf52866 100644
--- a/src/qmode.c
+++ b/src/qmode.c
@@ -43,38 +43,33 @@ void process_message(char *msg)
 {
 	char *str;
 	char *arg;
-	int c=1;
 	if (msg == NULL)
 		return;
 	printf("[x] (%s)\n", msg);
 	str = strdup(msg);
 	arg = strchr(str, ':');
-	if (c!=0) {
-		arg[0]='\0';
-		arg = arg +1;
-		if (!strcmp(str, "flash")) {
-			const char *type = fpid_file(arg);
-			if (type == NULL) {
-				squeue_push2(p, "error", "Unknown piece format", 1);
-			} else flash_image(arg, type, NULL);
-		} else
-		if (!strcmp(str, "reset")) {
-			if (reboot_board() == 0) {
-				squeue_push2(p,"info", "Device reboots", 1);
-			} else squeue_push2(p,"error", "Cannot reboot device", 1);
-		} else
-		if (!strcmp(str, "info")) {
-			get_rd_flags();
-			squeue_push2(p, "info", strbuf, 1);
-			get_nolo_version();
-			squeue_push2(p, "info", strbuf, 1);
-			get_usb_mode();
-			squeue_push2(p, "info", strbuf, 1);
-		} else
-			squeue_push2(p, "error", "invalid command", 0);
-	} else {
-		squeue_push2(p, "error", "invalid command format", 0);
-	}
+	arg[0]='\0';
+	arg = arg +1;
+	if (!strcmp(str, "flash")) {
+		const char *type = fpid_file(arg);
+		if (type == NULL) {
+			squeue_push2(p, "error", "Unknown piece format", 1);
+		} else flash_image(arg, type, NULL);
+	} else
+	if (!strcmp(str, "reset")) {
+		if (reboot_board() == 0) {
+			squeue_push2(p,"info", "Device reboots", 1);
+		} else squeue_push2(p,"error", "Cannot reboot device", 1);
+	} else
+	if (!strcmp(str, "info")) {
+		get_rd_flags();
+		squeue_push2(p, "info", strbuf, 1);
+		get_nolo_version();
+		squeue_push2(p, "info", strbuf, 1);
+		get_usb_mode();
+		squeue_push2(p, "info", strbuf, 1);
+	} else
+		squeue_push2(p, "error", "invalid command", 0);
 	free(str);
 }
 
diff --git a/src/squeue/squeue.c b/src/squeue/squeue.c
index 96f2b59..89fc7f5 100644
--- a/src/squeue/squeue.c
+++ b/src/squeue/squeue.c
@@ -40,13 +40,18 @@ struct squeue_t *squeue_open(const char *file, int mode)
 	struct squeue_t *q;
 	char *pool;
 	int shmid;
+	int fd;
 	key_t k;
 
 	k = ftok(file, 0x34);
 	if (k == -1) {
 		perror("ftok");
 		squeue_release(file);
-		close(creat(file, 0666));
+		if ((fd = creat(file, 0666)) == -1) {
+			perror("creat");
+			return NULL;
+		}
+		close(fd);
 		chmod(file, 0666);
 		k = ftok(file, 0xa3);
 		if (k == -1) {
-- 
cgit v1.2.3