From mboxrd@z Thu Jan 1 00:00:00 1970 From: Siarhei Siamashka Date: Fri, 28 Oct 2016 04:22:57 +0300 Subject: [U-Boot] [PATCH v2 2/2] image: Protect against overflow in unknown_msg() In-Reply-To: <1477615121-9968-2-git-send-email-sjg@chromium.org> References: <1477615121-9968-2-git-send-email-sjg@chromium.org> Message-ID: <20161028042257.04f5049d@i7> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de On Thu, 27 Oct 2016 18:38:40 -0600 Simon Glass wrote: > Coverity complains that this can overflow. If we later increase the size > of one of the strings in the table, it could happen. > > Adjust the code to protect against this. > > Signed-off-by: Simon Glass > Reported-by: Coverity (CID: 150964) > --- > > Changes in v2: > - Drop unwanted #include > > common/image.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/common/image.c b/common/image.c > index 0e86c13..4255267 100644 > --- a/common/image.c > +++ b/common/image.c > @@ -590,7 +590,7 @@ static const char *unknown_msg(enum ih_category category) > static char msg[30]; > > strcpy(msg, "Unknown "); > - strcat(msg, table_info[category].desc); > + strncat(msg, table_info[category].desc, sizeof(msg) - 1); "man strncat" on my system says: char *strncat(char *dest, const char *src, size_t n); ... If src contains n or more bytes, strncat() writes n+1 bytes to dest (n from src plus the terminating null byte). Therefore, the size of dest must be at least strlen(dest)+n+1. > > return msg; > } -- Best regards, Siarhei Siamashka