From: "Marek Behún" <kabel@kernel.org>
To: Simon Glass <sjg@chromium.org>, Tom Rini <trini@konsulko.com>
Cc: "U-Boot Mailing List" <u-boot@lists.denx.de>,
"Marek Behún" <marek.behun@nic.cz>
Subject: [PATCH 05/10] env: Check for terminating null-byte in env_match()
Date: Tue, 12 Oct 2021 13:04:56 +0200 [thread overview]
Message-ID: <20211012110501.6118-6-kabel@kernel.org> (raw)
In-Reply-To: <20211012110501.6118-1-kabel@kernel.org>
From: Marek Behún <marek.behun@nic.cz>
There is a possible overflow in env_match(): if environment contains
a terminating null-byte before '=' character (i.e. environment is
broken), the env_match() function can access data after the terminating
null-byte from parameter pointer.
Example: if env_get_char() returns characters from string array
"abc\0def\0" and env_match("abc", 0) is called, the function will access
at least one byte after the end of the "abc" literal.
Signed-off-by: Marek Behún <marek.behun@nic.cz>
---
cmd/nvedit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/nvedit.c b/cmd/nvedit.c
index e2e8a38b5d..a516491832 100644
--- a/cmd/nvedit.c
+++ b/cmd/nvedit.c
@@ -711,7 +711,7 @@ static int env_match(uchar *s1, int i2)
if (s1 == NULL || *s1 == '\0')
return -1;
- while (*s1 == env_get_char(i2++))
+ while (*s1 != '\0' && *s1 == env_get_char(i2++))
if (*s1++ == '=')
return i2;
--
2.32.0
next prev parent reply other threads:[~2021-10-12 11:06 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-12 11:04 [PATCH 00/10] env_get_char() removal and env_get_f() refactor Marek Behún
2021-10-12 11:04 ` [PATCH 01/10] env: Drop env_get_char_spec() and old, unused .get_char() implementations Marek Behún
2021-10-12 11:04 ` [PATCH 02/10] examples: api: glue: Remove comment that does not apply anymore Marek Behún
2021-10-12 11:04 ` [PATCH 03/10] env: Change env_match() to static and remove from header Marek Behún
2021-10-12 11:04 ` [PATCH 04/10] env: Don't match empty variable name in env_match() Marek Behún
2021-10-12 11:04 ` Marek Behún [this message]
2021-10-13 15:35 ` [PATCH 05/10] env: Check for terminating null-byte " Marek Behún
2021-10-12 11:04 ` [PATCH 06/10] env: Inline env_get_char() into it's only user Marek Behún
2021-10-12 11:04 ` [PATCH 07/10] env: Early return from env_get_f() on NULL name Marek Behún
2021-10-12 11:04 ` [PATCH 08/10] env: Use strncpy() instead of ad-hoc code to copy variable value Marek Behún
2021-10-12 11:41 ` Rasmus Villemoes
2021-10-12 12:00 ` Marek Behún
2021-10-12 12:45 ` Rasmus Villemoes
2021-10-12 11:05 ` [PATCH 09/10] env: Use string pointer instead of indexes in env_get_f() Marek Behún
2021-10-12 11:05 ` [PATCH 10/10] env: Move non-cmd specific env functions to env/common.c Marek Behún
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211012110501.6118-6-kabel@kernel.org \
--to=kabel@kernel.org \
--cc=marek.behun@nic.cz \
--cc=sjg@chromium.org \
--cc=trini@konsulko.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox