leandrof/u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

cmd/nvedit.c: Update input handling to cover overflow cases

Browse Source 
When we have multiple messages provided, we need to be sure that we do
not exceed the length of our 'message' buffer.  In the for loop, make
sure that pos is not larger than message.  Only copy in at most however
much of the message buffer remains.  Finally, if we have not reached the
end of the message buffer, put in a space and NULL, and if we have,
ensure the buffer is now NULL termined.

Reported-by: Coverity (CID: 165116)
Signed-off-by: Tom Rini <trini@konsulko.com>
This commit is contained in:
Tom Rini 2017-09-26 19:37:11 -04:00
parent e2e6daed5a
commit c667723ffb
1 changed files with 7 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
cmd/nvedit.c
View File

@ -393,15 +393,18 @@ int do_env_ask(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
sprintf(message, "Please enter '%s': ", argv[1]);
} else {
/* env_ask envname message1 ... messagen [size] */
for (i = 2, pos = 0; i < argc; i++) {
for (i = 2, pos = 0; i < argc && pos < sizeof(message); i++) {
if (pos)
message[pos++] = ' ';
strcpy(message + pos, argv[i]);
strncpy(message + pos, argv[i], sizeof(message) - pos);
pos += strlen(argv[i]);
}
message[pos++] = ' ';
message[pos] = '\0';
if (pos < sizeof(message) - 1) {
message[pos++] = ' ';
message[pos] = '\0';
} else
message[CONFIG_SYS_CBSIZE - 1] = '\0';
}
if (size >= CONFIG_SYS_CBSIZE)