[U-Boot-Users] Buffer overflow in print_data() in ft_build.c

[U-Boot-Users] Buffer overflow in print_data() in ft_build.c

[Fredrik Roubert]

Hi!

In print_data() in ft_build.c, printf() is used to print strings of
arbitrary length from the device tree, which will cause a buffer
overflow that crashes U-Boot if any of these strings is longer than
CFG_PBSIZE.

(I encountered this while debugging my flat device tree while having a
very long kernel parameter line.)

The attached patch changes print_data() to use puts() instead, which
doesn't have the buffer overflow problem.

Cheers // Fredrik Roubert

-- 
Visserij 192  |  +32 473 344527 / +46 708 776974
BE-9000 Gent  |  http://www.df.lth.se/~roubert/
-------------- next part --------------
diff -ur u-boot-2006-06-30-2020.orig/common/ft_build.c u-boot-2006-06-30-2020/common/ft_build.c
--- u-boot-2006-06-30-2020.orig/common/ft_build.c	2006-06-30 20:16:37.000000000 +0200
+++ u-boot-2006-06-30-2020/common/ft_build.c	2006-10-09 12:12:56.000000000 +0200
@@ -293,7 +293,9 @@
 		return;
 
 	if (is_printable_string(data, len)) {
-		printf(" = \"%s\"", (char *)data);
+		puts(" = \"");
+		puts(data);
+		puts("\"");
 		return;
 	}
 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 303 bytes
Desc: not available
Url : http://lists.denx.de/pipermail/u-boot/attachments/20061009/2368dc96/attachment.pgp 

[U-Boot-Users] Buffer overflow in print_data() in ft_build.c

[Wolfgang Denk]

In message <20061009102605.GA4171@igloo.df.lth.se> you wrote:
> 
> The attached patch changes print_data() to use puts() instead, which
> doesn't have the buffer overflow problem.

Applied, thanks. But please provide a proper CHANGELOG entry next
time.

Best regards,

Wolfgang Denk

-- 
Software Engineering:  Embedded and Realtime Systems,  Embedded Linux
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
A Puritan is someone who is deathly afraid that  someone,  somewhere,
is having fun.