[PATCH] fastboot: mmc: Fix dest size in strlcat()
strlcat() is truncating the destination string to the size of the source string. Fix size argument in strlcat() to match the size of destination buffer.
Bug was introduced in the following commit:
commit 69a752983171c2983fc1f29c7cfa1844f41e5d8b Author: Sean Anderson seanga2@gmail.com
fastboot: Fix possible buffer overrun
Signed-off-by: Ariel D'Alessandro ariel.dalessandro@collabora.com --- drivers/fastboot/fb_mmc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/fastboot/fb_mmc.c b/drivers/fastboot/fb_mmc.c index cbb3f7b1dea..4c54f0c3893 100644 --- a/drivers/fastboot/fb_mmc.c +++ b/drivers/fastboot/fb_mmc.c @@ -40,7 +40,7 @@ static int raw_part_get_info_by_name(struct blk_desc *dev_desc,
/* check for raw partition descriptor */ strcpy(env_desc_name, "fastboot_raw_partition_"); - strlcat(env_desc_name, name, PART_NAME_LEN); + strlcat(env_desc_name, name, ARRAY_SIZE(env_desc_name)); raw_part_desc = strdup(env_get(env_desc_name)); if (raw_part_desc == NULL) return -ENODEV; @@ -114,7 +114,7 @@ static int part_get_info_by_name_or_alias(struct blk_desc **dev_desc,
/* check for alias */ strcpy(env_alias_name, "fastboot_partition_alias_"); - strlcat(env_alias_name, name, PART_NAME_LEN); + strlcat(env_alias_name, name, ARRAY_SIZE(env_alias_name)); aliased_part_name = env_get(env_alias_name); if (aliased_part_name != NULL) ret = do_get_part_info(dev_desc, aliased_part_name,
On 9/30/21 9:47 AM, Ariel D'Alessandro wrote:
strlcat() is truncating the destination string to the size of the source string. Fix size argument in strlcat() to match the size of destination buffer.
Bug was introduced in the following commit:
commit 69a752983171c2983fc1f29c7cfa1844f41e5d8b Author: Sean Anderson seanga2@gmail.com
fastboot: Fix possible buffer overrunSigned-off-by: Ariel D'Alessandro ariel.dalessandro@collabora.com
drivers/fastboot/fb_mmc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/fastboot/fb_mmc.c b/drivers/fastboot/fb_mmc.c index cbb3f7b1dea..4c54f0c3893 100644 --- a/drivers/fastboot/fb_mmc.c +++ b/drivers/fastboot/fb_mmc.c @@ -40,7 +40,7 @@ static int raw_part_get_info_by_name(struct blk_desc *dev_desc,
/* check for raw partition descriptor */ strcpy(env_desc_name, "fastboot_raw_partition_");
- strlcat(env_desc_name, name, PART_NAME_LEN);
- strlcat(env_desc_name, name, ARRAY_SIZE(env_desc_name)); raw_part_desc = strdup(env_get(env_desc_name)); if (raw_part_desc == NULL) return -ENODEV;
@@ -114,7 +114,7 @@ static int part_get_info_by_name_or_alias(struct blk_desc **dev_desc,
/* check for alias */ strcpy(env_alias_name, "fastboot_partition_alias_");
strlcat(env_alias_name, name, PART_NAME_LEN);
strlcat(env_alias_name, name, ARRAY_SIZE(env_alias_name));
This looks like a duplicate of [1]. I think the only difference is ARRAY_SIZE vs sizeof, but they are equivalent since sizeof(char) == 1.
--Sean
[1] http://patchwork.ozlabs.org/project/uboot/patch/20210730122354.6281-1-matthi...
Hi Sean,
On 9/30/21 12:15 PM, Sean Anderson wrote:
On 9/30/21 9:47 AM, Ariel D'Alessandro wrote:
strlcat() is truncating the destination string to the size of the source string. Fix size argument in strlcat() to match the size of destination buffer.
Bug was introduced in the following commit:
commit 69a752983171c2983fc1f29c7cfa1844f41e5d8b Author: Sean Anderson seanga2@gmail.com
fastboot: Fix possible buffer overrun
Signed-off-by: Ariel D'Alessandro ariel.dalessandro@collabora.com
drivers/fastboot/fb_mmc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/fastboot/fb_mmc.c b/drivers/fastboot/fb_mmc.c index cbb3f7b1dea..4c54f0c3893 100644 --- a/drivers/fastboot/fb_mmc.c +++ b/drivers/fastboot/fb_mmc.c @@ -40,7 +40,7 @@ static int raw_part_get_info_by_name(struct blk_desc *dev_desc,
/* check for raw partition descriptor */ strcpy(env_desc_name, "fastboot_raw_partition_"); - strlcat(env_desc_name, name, PART_NAME_LEN); + strlcat(env_desc_name, name, ARRAY_SIZE(env_desc_name)); raw_part_desc = strdup(env_get(env_desc_name)); if (raw_part_desc == NULL) return -ENODEV; @@ -114,7 +114,7 @@ static int part_get_info_by_name_or_alias(struct blk_desc **dev_desc,
/* check for alias */ strcpy(env_alias_name, "fastboot_partition_alias_"); - strlcat(env_alias_name, name, PART_NAME_LEN); + strlcat(env_alias_name, name, ARRAY_SIZE(env_alias_name)); aliased_part_name = env_get(env_alias_name); if (aliased_part_name != NULL) ret = do_get_part_info(dev_desc, aliased_part_name,
This looks like a duplicate of [1]. I think the only difference is ARRAY_SIZE vs sizeof, but they are equivalent since sizeof(char) == 1.
Ah, you're right. Sorry I missed that patch.
--Sean
[1] http://patchwork.ozlabs.org/project/uboot/patch/20210730122354.6281-1-matthi...
participants (2)
-
Ariel D'Alessandro -
Sean Anderson