In the case that there was no name defined for a partition the code assumes that name_len is 22 and therefore allocates exactly that space for a dummy name. But the function sprintf() first resolves "0x%08llx@0x%08llx" to a string that is longer than 22 bytes. This leads to a buffer overflow. The replacement function snprintf() limits the copied bytes to name_len and therefore avoids the buffer overflow.
Signed-off-by: Kay Potthoff Kay.Potthoff@microsys.de --- cmd/mtdparts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c index 9bc977450cf8..d0cda1bea400 100644 --- a/cmd/mtdparts.c +++ b/cmd/mtdparts.c @@ -691,7 +691,7 @@ static int part_parse(const char *const partdef, const char **ret, struct part_i part->auto_name = 0; } else { /* auto generated name in form of size@offset */ - sprintf(part->name, "0x%08llx@0x%08llx", size, offset); + snprintf(part->name, name_len, "0x%08llx@0x%08llx", size, offset); part->auto_name = 1; }