| Message ID | 1506469031-11572-1-git-send-email-trini@konsulko.com |
|---|---|
| State | Accepted |
| Commit | c667723ffb50b00585b729ee0da7b0e8c93ffa13 |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | [U-Boot] cmd/nvedit.c: Update input handling to cover overflow cases | expand |
On Tue, Sep 26, 2017 at 07:37:11PM -0400, Tom Rini wrote: > When we have multiple messages provided, we need to be sure that we do > not exceed the length of our 'message' buffer. In the for loop, make > sure that pos is not larger than message. Only copy in at most however > much of the message buffer remains. Finally, if we have not reached the > end of the message buffer, put in a space and NULL, and if we have, > ensure the buffer is now NULL termined. > > Reported-by: Coverity (CID: 165116) > Signed-off-by: Tom Rini <trini@konsulko.com> Applied to u-boot/master, thanks!
diff --git a/cmd/nvedit.c b/cmd/nvedit.c index 4033d90c8e2d..055836cc72d1 100644 --- a/cmd/nvedit.c +++ b/cmd/nvedit.c @@ -393,15 +393,18 @@ int do_env_ask(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) sprintf(message, "Please enter '%s': ", argv[1]); } else { /* env_ask envname message1 ... messagen [size] */ - for (i = 2, pos = 0; i < argc; i++) { + for (i = 2, pos = 0; i < argc && pos < sizeof(message); i++) { if (pos) message[pos++] = ' '; - strcpy(message + pos, argv[i]); + strncpy(message + pos, argv[i], sizeof(message) - pos); pos += strlen(argv[i]); } - message[pos++] = ' '; - message[pos] = '\0'; + if (pos < sizeof(message) - 1) { + message[pos++] = ' '; + message[pos] = '\0'; + } else + message[CONFIG_SYS_CBSIZE - 1] = '\0'; } if (size >= CONFIG_SYS_CBSIZE)
When we have multiple messages provided, we need to be sure that we do not exceed the length of our 'message' buffer. In the for loop, make sure that pos is not larger than message. Only copy in at most however much of the message buffer remains. Finally, if we have not reached the end of the message buffer, put in a space and NULL, and if we have, ensure the buffer is now NULL termined. Reported-by: Coverity (CID: 165116) Signed-off-by: Tom Rini <trini@konsulko.com> --- cmd/nvedit.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-)