* [U-Boot] [PATCH] mtdparts: fixed buffer overflow bug
@ 2018-07-17 6:19 Kay Potthoff
2018-07-26 19:54 ` [U-Boot] " Tom Rini
0 siblings, 1 reply; 2+ messages in thread
From: Kay Potthoff @ 2018-07-17 6:19 UTC (permalink / raw)
To: u-boot
In the case that there was no name defined for a partition the
code assumes that name_len is 22 and therefore allocates exactly
that space for a dummy name. But the function sprintf() first
resolves "0x%08llx at 0x%08llx" to a string that is longer than 22
bytes. This leads to a buffer overflow. The replacement function
snprintf() limits the copied bytes to name_len and therefore
avoids the buffer overflow.
Signed-off-by: Kay Potthoff <Kay.Potthoff@microsys.de>
---
cmd/mtdparts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c
index 9bc977450cf8..d0cda1bea400 100644
--- a/cmd/mtdparts.c
+++ b/cmd/mtdparts.c
@@ -691,7 +691,7 @@ static int part_parse(const char *const partdef, const char **ret, struct part_i
part->auto_name = 0;
} else {
/* auto generated name in form of size at offset */
- sprintf(part->name, "0x%08llx at 0x%08llx", size, offset);
+ snprintf(part->name, name_len, "0x%08llx at 0x%08llx", size, offset);
part->auto_name = 1;
}
--
2.17.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [U-Boot] mtdparts: fixed buffer overflow bug
2018-07-17 6:19 [U-Boot] [PATCH] mtdparts: fixed buffer overflow bug Kay Potthoff
@ 2018-07-26 19:54 ` Tom Rini
0 siblings, 0 replies; 2+ messages in thread
From: Tom Rini @ 2018-07-26 19:54 UTC (permalink / raw)
To: u-boot
On Tue, Jul 17, 2018 at 08:19:39AM +0200, Kay Potthoff wrote:
> In the case that there was no name defined for a partition the
> code assumes that name_len is 22 and therefore allocates exactly
> that space for a dummy name. But the function sprintf() first
> resolves "0x%08llx at 0x%08llx" to a string that is longer than 22
> bytes. This leads to a buffer overflow. The replacement function
> snprintf() limits the copied bytes to name_len and therefore
> avoids the buffer overflow.
>
> Signed-off-by: Kay Potthoff <Kay.Potthoff@microsys.de>
Applied to u-boot/master, thanks!
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20180726/57b652f5/attachment.sig>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-07-26 19:54 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-07-17 6:19 [U-Boot] [PATCH] mtdparts: fixed buffer overflow bug Kay Potthoff
2018-07-26 19:54 ` [U-Boot] " Tom Rini
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.