From patchwork Wed Oct 13 15:45:50 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Marek_Beh=C3=BAn?= X-Patchwork-Id: 1540466 X-Patchwork-Delegate: sjg@chromium.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256 header.s=k20201202 header.b=upZs2+JX; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from phobos.denx.de (phobos.denx.de [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4HTxk96vMhz9sS8 for ; Thu, 14 Oct 2021 02:47:29 +1100 (AEDT) Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id 922E9835ED; Wed, 13 Oct 2021 17:47:01 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.b="upZs2+JX"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id 104F8835C7; Wed, 13 Oct 2021 17:46:18 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE, SPF_PASS autolearn=ham autolearn_force=no version=3.4.2 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 5D638835C7 for ; Wed, 13 Oct 2021 17:46:10 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=kabel@kernel.org Received: by mail.kernel.org (Postfix) with ESMTPSA id 372FD610FE; Wed, 13 Oct 2021 15:46:08 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1634139969; bh=WQjxtdA2P3HmqdDynk7eo8Frnf1T/4AEZ40RxjrTfJ8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=upZs2+JXfdseVxtaWP+jP4EIFB8qwUNP1OoJwkXpiXOxVH/IlK67cJIcuwzZLI96O WKupgssXxtentFhDmL9ywWYuxnuW4LKNClJ7Bg28NSvhkyRFdrO9hLz0i9+w2//iM1 qzfMOviNfnqoM0Gy5HHf5Fyf8uYGuSa/Kbm3LLsNaJjtd+Vx6d/GoquBx8cgODFVAm HXek1FJR2N8fmybHXt/mPE0aK/sCkxVrXT76efblRKrHibQpY6rj/8TcDt9OBCJZTl 5K0FMPc10gaSDecg8hAjXEuEJ12pUrfjJmvD+yzqdGFvn/NuU3pEKZSPCJJcZuUWwx sOkZq7QfldPLg== From: =?utf-8?q?Marek_Beh=C3=BAn?= To: Simon Glass , Tom Rini Cc: U-Boot Mailing List , =?utf-8?q?Marek_Beh=C3=BAn?= Subject: [PATCH v2 06/13] env: Check for terminating null-byte in env_match() Date: Wed, 13 Oct 2021 17:45:50 +0200 Message-Id: <20211013154557.28479-7-kabel@kernel.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211013154557.28479-1-kabel@kernel.org> References: <20211013154557.28479-1-kabel@kernel.org> MIME-Version: 1.0 X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean From: Marek BehĂșn There is a possible overflow in env_match(): if environment contains a terminating null-byte before '=' character (i.e. environment is broken), the env_match() function can access data after the terminating null-byte from parameter pointer. Example: if env_get_char() returns characters from string array "abc\0def\0" and env_match("abc", 0) is called, the function will access at least one byte after the end of the "abc" literal. Fix this by checking for terminating null-byte in env_match(). Signed-off-by: Marek BehĂșn Reviewed-by: Simon Glass --- Change since v1: - check for '\0' only after incrementing i2 --- cmd/nvedit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/nvedit.c b/cmd/nvedit.c index e2e8a38b5d..a22445132b 100644 --- a/cmd/nvedit.c +++ b/cmd/nvedit.c @@ -711,7 +711,7 @@ static int env_match(uchar *s1, int i2) if (s1 == NULL || *s1 == '\0') return -1; - while (*s1 == env_get_char(i2++)) + while (*s1 == env_get_char(i2++) && *s1 != '\0') if (*s1++ == '=') return i2;