| Message ID | 1398432943-8193-1-git-send-email-kotnes@cisco.com |
|---|---|
| State | Accepted |
| Delegated to: | Tom Rini |
| Headers | show |
On Fri, Apr 25, 2014 at 03:35:43PM +0200, Kristian Otnes wrote: > console_buffer array is defined to be CONFIG_SYS_CBSIZE + 1 long, > whereas the_command array only CONFIG_SYS_CBSIZE long. Subsequent > use of strcpy(the_command, console_buffer) will write final \0 > terminating byte outside the_command array when entering a command > of max length. > > Signed-off-by: Kristian Otnes <kotnes <at> cisco <dot> com> Applied to u-boot/master, thanks!
diff --git a/common/hush.c b/common/hush.c index df10267..5b43224 100644 --- a/common/hush.c +++ b/common/hush.c @@ -996,7 +996,7 @@ static void get_user_input(struct in_str *i) i->p = the_command; #else int n; - static char the_command[CONFIG_SYS_CBSIZE]; + static char the_command[CONFIG_SYS_CBSIZE + 1]; #ifdef CONFIG_BOOT_RETRY_TIME # ifndef CONFIG_RESET_TO_RETRY
console_buffer array is defined to be CONFIG_SYS_CBSIZE + 1 long, whereas the_command array only CONFIG_SYS_CBSIZE long. Subsequent use of strcpy(the_command, console_buffer) will write final \0 terminating byte outside the_command array when entering a command of max length. Signed-off-by: Kristian Otnes <kotnes <at> cisco <dot> com> --- common/hush.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)