| Message ID | 20211013154557.28479-7-kabel@kernel.org |
|---|---|
| State | Superseded |
| Delegated to: | Simon Glass |
| Headers | show |
| Series | env_get_char() removal and env_get_f() refactor | expand |
On Wed, 13 Oct 2021 at 09:46, Marek Behún <kabel@kernel.org> wrote: > > From: Marek Behún <marek.behun@nic.cz> > > There is a possible overflow in env_match(): if environment contains > a terminating null-byte before '=' character (i.e. environment is > broken), the env_match() function can access data after the terminating > null-byte from parameter pointer. > > Example: if env_get_char() returns characters from string array > "abc\0def\0" and env_match("abc", 0) is called, the function will access > at least one byte after the end of the "abc" literal. > > Fix this by checking for terminating null-byte in env_match(). > > Signed-off-by: Marek Behún <marek.behun@nic.cz> > --- > Change since v1: > - check for '\0' only after incrementing i2 > --- > cmd/nvedit.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > Reviewed-by: Simon Glass <sjg@chromium.org>
diff --git a/cmd/nvedit.c b/cmd/nvedit.c index e2e8a38b5d..a22445132b 100644 --- a/cmd/nvedit.c +++ b/cmd/nvedit.c @@ -711,7 +711,7 @@ static int env_match(uchar *s1, int i2) if (s1 == NULL || *s1 == '\0') return -1; - while (*s1 == env_get_char(i2++)) + while (*s1 == env_get_char(i2++) && *s1 != '\0') if (*s1++ == '=') return i2;