14 Oct
2021
14 Oct
'21
5:11 p.m.
On Wed, 13 Oct 2021 at 09:46, Marek Behún kabel@kernel.org wrote:
From: Marek Behún marek.behun@nic.cz
There is a possible overflow in env_match(): if environment contains a terminating null-byte before '=' character (i.e. environment is broken), the env_match() function can access data after the terminating null-byte from parameter pointer.
Example: if env_get_char() returns characters from string array "abc\0def\0" and env_match("abc", 0) is called, the function will access at least one byte after the end of the "abc" literal.
Fix this by checking for terminating null-byte in env_match().
Signed-off-by: Marek Behún marek.behun@nic.cz
Change since v1:
- check for '\0' only after incrementing i2
cmd/nvedit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Reviewed-by: Simon Glass sjg@chromium.org