From mboxrd@z Thu Jan 1 00:00:00 1970 From: Kay Potthoff Date: Tue, 17 Jul 2018 08:19:39 +0200 Subject: [U-Boot] [PATCH] mtdparts: fixed buffer overflow bug Message-ID: <20180717061939.6034-1-Kay.Potthoff@microsys.de> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de In the case that there was no name defined for a partition the code assumes that name_len is 22 and therefore allocates exactly that space for a dummy name. But the function sprintf() first resolves "0x%08llx at 0x%08llx" to a string that is longer than 22 bytes. This leads to a buffer overflow. The replacement function snprintf() limits the copied bytes to name_len and therefore avoids the buffer overflow. Signed-off-by: Kay Potthoff --- cmd/mtdparts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c index 9bc977450cf8..d0cda1bea400 100644 --- a/cmd/mtdparts.c +++ b/cmd/mtdparts.c @@ -691,7 +691,7 @@ static int part_parse(const char *const partdef, const char **ret, struct part_i part->auto_name = 0; } else { /* auto generated name in form of size at offset */ - sprintf(part->name, "0x%08llx at 0x%08llx", size, offset); + snprintf(part->name, name_len, "0x%08llx at 0x%08llx", size, offset); part->auto_name = 1; } -- 2.17.0