* ron minnich rminnich@gmail.com [070828 06:16]:
=================================================================== --- lib/lar.c (revision 480) +++ lib/lar.c (working copy) @@ -42,9 +49,31 @@
for (walk = archive->start; (walk - 1) < (char *)(archive->start + archive->len - 1 ); walk += 16) {
if (strcmp(walk, MAGIC) != 0)
/* I am leaving this code in here because it is so dangerous. MAGIC is* #define'd to a string. That string lives in data space. All of the 1M linuxbios* image is a LAR file. Therefore, this search can walk ALL of linuxbios.* IF the MAGIC string (in code space) just happens to be 16-byte aligned,* Then the strcmp will succeed, and you will match a non-LAR entry,* and you are screwed. can this happen? YES!* LAR: Attempting to open 'fallback/initram'.* LAR: Start 0xfff00000 len 0x100000* LAR: current filename is normal/payload* LAR: current filename is normal/option_table* LAR: current filename is normal/stage2* LAR: current filename is normal/initram* LAR: current filename is R: it matches %s @ %p* That garbage is there because the pointer is in the middle of a bunch* of non-null-terminated junk. The fix is easy, as you can see.
I think the fix could be even simpler. Instead, if the first header is found, the second header should be searched _after_ the end of the first file in the LAR archive. Going through all of the ROM including the data itself is plain stupid. I remember we did not do this in the beginning, but we broke it since then.
if (walk[0] != 'L') continue;if (strcmp(&walk[1], MAGIC) != 0)continue;
- printf(" -e pre-parse the payload ELF into LAR segments. Recommended\n\n");
{"parseelf", 1, 0, 'p'},
- while ((opt = getopt_long(argc, argv, "acC:xls:b:vVh?",
--parseelf will not work like that.
+/* NOTE -- This and the linuxbios lar.h are NOT IN SYNC. Be careful. */
What do you mean, by "not in sync"?