From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 94D84C433F5 for ; Tue, 12 Oct 2021 11:06:16 +0000 (UTC) Received: from phobos.denx.de (phobos.denx.de [85.214.62.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 1E3AA60E78 for ; Tue, 12 Oct 2021 11:06:16 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 1E3AA60E78 Authentication-Results: mail.kernel.org; dmarc=fail (p=none dis=none) header.from=kernel.org Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=lists.denx.de Received: from h2850616.stratoserver.net (localhost [IPv6:::1]) by phobos.denx.de (Postfix) with ESMTP id A273583750; Tue, 12 Oct 2021 13:05:49 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de Authentication-Results: phobos.denx.de; dkim=pass (2048-bit key; unprotected) header.d=kernel.org header.i=@kernel.org header.b="BFo6nbb4"; dkim-atps=neutral Received: by phobos.denx.de (Postfix, from userid 109) id AEDAF83721; Tue, 12 Oct 2021 13:05:19 +0200 (CEST) Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by phobos.denx.de (Postfix) with ESMTPS id 62F47834F1 for ; Tue, 12 Oct 2021 13:05:13 +0200 (CEST) Authentication-Results: phobos.denx.de; dmarc=pass (p=none dis=none) header.from=kernel.org Authentication-Results: phobos.denx.de; spf=pass smtp.mailfrom=kabel@kernel.org Received: by mail.kernel.org (Postfix) with ESMTPSA id 1DBF360F3A; Tue, 12 Oct 2021 11:05:10 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1634036712; bh=RGDtAjNl6pwVNXILx4tlvoMV1FzUt1fp+TthuYXWlPA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BFo6nbb4p9f/6x5B0b+iFktHJfTcBIsQqutxNklGBG6/PxMVSAvpOq2BcMxOYScBy lTCsyQLgL01r3d5zb975IeB7fkmlftLAEH075VjowkXgA71orhaIqra10rru7HZurW p7IIkNSJT4SQVgLY9lNwtHcZEo4XJC5cRp12qQizuLWrHUoQfVF+uVZ6p8NNGyDgjT 3K2jVXDYio6iEmfovryjS8pJjAnUSwG769v1U3TS748fto0ewgTAniQmVD/RX8dN/n UgAe4zq+0ITWnDHdTcgmqxZUKhUtGi5LUoDfMzlNF2PCs0c/uPCJroRfBXCQy6MGfR zenQUoIRH4ttw== From: =?UTF-8?q?Marek=20Beh=C3=BAn?= To: Simon Glass , Tom Rini Cc: U-Boot Mailing List , =?UTF-8?q?Marek=20Beh=C3=BAn?= Subject: [PATCH 05/10] env: Check for terminating null-byte in env_match() Date: Tue, 12 Oct 2021 13:04:56 +0200 Message-Id: <20211012110501.6118-6-kabel@kernel.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20211012110501.6118-1-kabel@kernel.org> References: <20211012110501.6118-1-kabel@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.34 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" X-Virus-Scanned: clamav-milter 0.103.2 at phobos.denx.de X-Virus-Status: Clean From: Marek BehĂșn There is a possible overflow in env_match(): if environment contains a terminating null-byte before '=' character (i.e. environment is broken), the env_match() function can access data after the terminating null-byte from parameter pointer. Example: if env_get_char() returns characters from string array "abc\0def\0" and env_match("abc", 0) is called, the function will access at least one byte after the end of the "abc" literal. Signed-off-by: Marek BehĂșn --- cmd/nvedit.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/nvedit.c b/cmd/nvedit.c index e2e8a38b5d..a516491832 100644 --- a/cmd/nvedit.c +++ b/cmd/nvedit.c @@ -711,7 +711,7 @@ static int env_match(uchar *s1, int i2) if (s1 == NULL || *s1 == '\0') return -1; - while (*s1 == env_get_char(i2++)) + while (*s1 != '\0' && *s1 == env_get_char(i2++)) if (*s1++ == '=') return i2; -- 2.32.0