From patchwork Tue Sep 26 23:37:11 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Rini X-Patchwork-Id: 818854 X-Patchwork-Delegate: trini@ti.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.denx.de (client-ip=81.169.180.215; helo=lists.denx.de; envelope-from=u-boot-bounces@lists.denx.de; receiver=) Received: from lists.denx.de (dione.denx.de [81.169.180.215]) by ozlabs.org (Postfix) with ESMTP id 3y1y6Z1Nftz9t4X for ; Wed, 27 Sep 2017 09:37:24 +1000 (AEST) Received: by lists.denx.de (Postfix, from userid 105) id 559D4C21C62; Tue, 26 Sep 2017 23:37:16 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de X-Spam-Level: X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL autolearn=unavailable autolearn_force=no version=3.4.0 Received: from lists.denx.de (localhost [IPv6:::1]) by lists.denx.de (Postfix) with ESMTP id 568B0C21C29; Tue, 26 Sep 2017 23:37:14 +0000 (UTC) Received: by lists.denx.de (Postfix, from userid 105) id B38DDC21C29; Tue, 26 Sep 2017 23:37:12 +0000 (UTC) Received: from mail-qk0-f193.google.com (mail-qk0-f193.google.com [209.85.220.193]) by lists.denx.de (Postfix) with ESMTPS id 5DA36C21C26 for ; Tue, 26 Sep 2017 23:37:11 +0000 (UTC) Received: by mail-qk0-f193.google.com with SMTP id o77so7798667qke.2 for ; Tue, 26 Sep 2017 16:37:11 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id; bh=Qf0BYp9cwsOEAa3dvdzDQ6pLCySL840cXNVXlr1XiZI=; b=XEAuMJxyxjwSTA801xa1rJzyUytOxzHYCXw3MkuSd5i1GO60tjnb6Gzi5RQAihuyHf /ck3V/QW4AA7JM1fkbK9hIvFLXTyDxt2a/a24UkCq/Cb0pG1+Y+M0ZMuHHtb/bL6dtIq UoxXSBgXXFsitNYdxvipzhDDOz4v+3wiiV4y4XX2Pt94X4jIBjj7X5ZFT231R2YgGm5L w7Ywou5gHTYzXcv0rCYazvXz9eOCX+SBM0fUaWx5JcOtmzIWP6I0p6TeinKcOkLPCc0g pCZ9pKSHVdlhZrYb8Rp9HZn5QFBHIaGEw2e15FZ/vEVAp8KG+IX/fk6l7Jnn3o0/JAlA 1XfA== X-Gm-Message-State: AMCzsaVY1r6EUsk7stKQWKQopnsnFGQfFl+S5L7vQ0Ov/WP3jFsXdPxD ZATlU2Fw6Gmt8RpHhymNdMyW X-Google-Smtp-Source: AOwi7QABDzXsrfqwoUFwDUHNvV9sITdls6z7gRi1xPKAR2n9CK22a5nWrOdP3krrP76gT3FYqFeghQ== X-Received: by 10.55.23.154 with SMTP id 26mr19373qkx.193.1506469029806; Tue, 26 Sep 2017 16:37:09 -0700 (PDT) Received: from localhost.localdomain (cpe-65-184-142-68.ec.res.rr.com. [65.184.142.68]) by smtp.gmail.com with ESMTPSA id e52sm7694743qtk.62.2017.09.26.16.37.09 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 26 Sep 2017 16:37:09 -0700 (PDT) From: Tom Rini To: u-boot@lists.denx.de Date: Tue, 26 Sep 2017 19:37:11 -0400 Message-Id: <1506469031-11572-1-git-send-email-trini@konsulko.com> X-Mailer: git-send-email 1.9.1 Subject: [U-Boot] [PATCH] cmd/nvedit.c: Update input handling to cover overflow cases X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.18 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" When we have multiple messages provided, we need to be sure that we do not exceed the length of our 'message' buffer. In the for loop, make sure that pos is not larger than message. Only copy in at most however much of the message buffer remains. Finally, if we have not reached the end of the message buffer, put in a space and NULL, and if we have, ensure the buffer is now NULL termined. Reported-by: Coverity (CID: 165116) Signed-off-by: Tom Rini --- cmd/nvedit.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/cmd/nvedit.c b/cmd/nvedit.c index 4033d90c8e2d..055836cc72d1 100644 --- a/cmd/nvedit.c +++ b/cmd/nvedit.c @@ -393,15 +393,18 @@ int do_env_ask(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) sprintf(message, "Please enter '%s': ", argv[1]); } else { /* env_ask envname message1 ... messagen [size] */ - for (i = 2, pos = 0; i < argc; i++) { + for (i = 2, pos = 0; i < argc && pos < sizeof(message); i++) { if (pos) message[pos++] = ' '; - strcpy(message + pos, argv[i]); + strncpy(message + pos, argv[i], sizeof(message) - pos); pos += strlen(argv[i]); } - message[pos++] = ' '; - message[pos] = '\0'; + if (pos < sizeof(message) - 1) { + message[pos++] = ' '; + message[pos] = '\0'; + } else + message[CONFIG_SYS_CBSIZE - 1] = '\0'; } if (size >= CONFIG_SYS_CBSIZE)