Patchwork [U-Boot] stdio: Fix a possible buffer overflow

login
register
mail settings
Submitter Bradley Bolen
Date Aug. 22, 2011, 9:48 p.m.
Message ID <1314049685.74936.YahooMailClassic@web110204.mail.gq1.yahoo.com>
Download mbox | patch
Permalink /patch/110999/
State Accepted
Headers show

Comments

Bradley Bolen - Aug. 22, 2011, 9:48 p.m.
Signed-off-by: Bradley Bolen <bradleybolen at yahoo.com>
---
The length of the name of a stdio_dev is 16 bytes, but the local
variable to hold it is only 8 bytes.  Also, the memcpy should copy
the size of the destination, not the size of the source.
---
 common/stdio.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)
Wolfgang Denk - Sept. 4, 2011, 9:28 p.m.
Dear Bradley Bolen,

In message <1314049685.74936.YahooMailClassic@web110204.mail.gq1.yahoo.com> you wrote:
> Signed-off-by: Bradley Bolen <bradleybolen at yahoo.com>
> ---
> The length of the name of a stdio_dev is 16 bytes, but the local
> variable to hold it is only 8 bytes.  Also, the memcpy should copy
> the size of the destination, not the size of the source.
> ---
>  common/stdio.c |    4 ++--
>  1 files changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/common/stdio.c b/common/stdio.c
> index 6b2ed24..5c1adb1 100644
> --- a/common/stdio.c
> +++ b/common/stdio.c
> @@ -160,7 +160,7 @@ int stdio_deregister(const char *devname)
>     int l;
>     struct list_head *pos;
>     struct stdio_dev *dev;
> -   char temp_names[3][8];
> +   char temp_names[3][16];
>  
>     dev = stdio_get_by_name(devname);
>  
> @@ -174,7 +174,7 @@ int stdio_deregister(const char *devname)
>         }   
>         memcpy (&temp_names[l][0],
>             stdio_devices[l]->name,
> -           sizeof(stdio_devices[l]->name));
> +           sizeof(temp_names[l]));

Your patch is white space corrupted.  Please make sure to use
git-send-email next time (or at least fix your mailer).

Applied manually, thanks.

Best regards,

Wolfgang Denk

Patch

diff --git a/common/stdio.c b/common/stdio.c
index 6b2ed24..5c1adb1 100644
--- a/common/stdio.c
+++ b/common/stdio.c
@@ -160,7 +160,7 @@  int stdio_deregister(const char *devname)
    int l;
    struct list_head *pos;
    struct stdio_dev *dev;
-   char temp_names[3][8];
+   char temp_names[3][16];
 
    dev = stdio_get_by_name(devname);
 
@@ -174,7 +174,7 @@  int stdio_deregister(const char *devname)
        }   
        memcpy (&temp_names[l][0],
            stdio_devices[l]->name,
-           sizeof(stdio_devices[l]->name));
+           sizeof(temp_names[l]));
    }   
 
    list_del(&(dev->list));