All of lore.kernel.org
 help / color / mirror / Atom feed
* [U-Boot] [PATCH] mtdparts: fixed buffer overflow bug
@ 2018-07-17  6:19 Kay Potthoff
  2018-07-26 19:54 ` [U-Boot] " Tom Rini
  0 siblings, 1 reply; 2+ messages in thread
From: Kay Potthoff @ 2018-07-17  6:19 UTC (permalink / raw)
  To: u-boot

In the case that there was no name defined for a partition the
code assumes that name_len is 22 and therefore allocates exactly
that space for a dummy name. But the function sprintf() first
resolves "0x%08llx at 0x%08llx" to a string that is longer than 22
bytes. This leads to a buffer overflow. The replacement function
snprintf() limits the copied bytes to name_len and therefore
avoids the buffer overflow.

Signed-off-by: Kay Potthoff <Kay.Potthoff@microsys.de>
---
 cmd/mtdparts.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c
index 9bc977450cf8..d0cda1bea400 100644
--- a/cmd/mtdparts.c
+++ b/cmd/mtdparts.c
@@ -691,7 +691,7 @@ static int part_parse(const char *const partdef, const char **ret, struct part_i
 		part->auto_name = 0;
 	} else {
 		/* auto generated name in form of size at offset */
-		sprintf(part->name, "0x%08llx at 0x%08llx", size, offset);
+		snprintf(part->name, name_len, "0x%08llx at 0x%08llx", size, offset);
 		part->auto_name = 1;
 	}
 
-- 
2.17.0

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [U-Boot] mtdparts: fixed buffer overflow bug
  2018-07-17  6:19 [U-Boot] [PATCH] mtdparts: fixed buffer overflow bug Kay Potthoff
@ 2018-07-26 19:54 ` Tom Rini
  0 siblings, 0 replies; 2+ messages in thread
From: Tom Rini @ 2018-07-26 19:54 UTC (permalink / raw)
  To: u-boot

On Tue, Jul 17, 2018 at 08:19:39AM +0200, Kay Potthoff wrote:

> In the case that there was no name defined for a partition the
> code assumes that name_len is 22 and therefore allocates exactly
> that space for a dummy name. But the function sprintf() first
> resolves "0x%08llx at 0x%08llx" to a string that is longer than 22
> bytes. This leads to a buffer overflow. The replacement function
> snprintf() limits the copied bytes to name_len and therefore
> avoids the buffer overflow.
> 
> Signed-off-by: Kay Potthoff <Kay.Potthoff@microsys.de>

Applied to u-boot/master, thanks!

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180726/57b652f5/attachment.sig>

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-26 19:54 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-17  6:19 [U-Boot] [PATCH] mtdparts: fixed buffer overflow bug Kay Potthoff
2018-07-26 19:54 ` [U-Boot] " Tom Rini

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.