| Message ID | 20230502023409.138379-1-heinrich.schuchardt@canonical.com |
|---|---|
| State | Accepted |
| Commit | 7bae13da36477ce451ef5975e0cf79dbe035b52c |
| Delegated to: | Tom Rini |
| Headers | show |
| Series | [1/1] cli: avoid buffer overrun | expand |
On Mon, 1 May 2023 at 20:34, Heinrich Schuchardt <heinrich.schuchardt@canonical.com> wrote: > > Invoking the sandbox with > > /u-boot -c ⧵0xef⧵0xbf⧵0xbd > > results in a segmentation fault. > > Function b_getch() retrieves a character from the input stream. This > character may be > 0x7f. If type char is signed, static_get() will > return a negative number and in parse_stream() we will use that > negative number as an index for array map[] resulting in a buffer > overflow. > > Reported-by: Harry Lockyer <harry_lockyer@tutanota.com> > Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> > --- > common/cli_hush.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Reviewed-by: Simon Glass <sjg@chromium.org>
On Tue, May 02, 2023 at 04:34:09AM +0200, Heinrich Schuchardt wrote: > Invoking the sandbox with > > /u-boot -c ⧵0xef⧵0xbf⧵0xbd > > results in a segmentation fault. > > Function b_getch() retrieves a character from the input stream. This > character may be > 0x7f. If type char is signed, static_get() will > return a negative number and in parse_stream() we will use that > negative number as an index for array map[] resulting in a buffer > overflow. > > Reported-by: Harry Lockyer <harry_lockyer@tutanota.com> > Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> > Reviewed-by: Simon Glass <sjg@chromium.org> Applied to u-boot/next, thanks!
diff --git a/common/cli_hush.c b/common/cli_hush.c index 1ad7a509df..77df42428b 100644 --- a/common/cli_hush.c +++ b/common/cli_hush.c @@ -324,7 +324,7 @@ typedef struct { /* I can almost use ordinary FILE *. Is open_memstream() universally * available? Where is it documented? */ struct in_str { - const char *p; + const unsigned char *p; #ifndef __U_BOOT__ char peek_buf[2]; #endif
Invoking the sandbox with /u-boot -c ⧵0xef⧵0xbf⧵0xbd results in a segmentation fault. Function b_getch() retrieves a character from the input stream. This character may be > 0x7f. If type char is signed, static_get() will return a negative number and in parse_stream() we will use that negative number as an index for array map[] resulting in a buffer overflow. Reported-by: Harry Lockyer <harry_lockyer@tutanota.com> Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com> --- common/cli_hush.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)