michael/u-boot
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

cmd: elf: Prevent possible buffer overflow

Browse Source 
In do_bootvx the environment variable 'bootdev' is fetched and copied
into a buffer without confirming that it will not overflow that buffer.
Use strlcpy to ensure that the buffer will not be overflowed.

This issue was found by Smatch.

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
This commit is contained in:
Andrew Goodbody
2025-07-21 15:43:36 +01:00
committed by Tom Rini
parent 9b2e794190
commit b83f865e75
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/elf.c
View File

@@ -21,6 +21,8 @@
#include <linux/linkage.h>
#endif
#define BOOTLINE_BUF_LEN 128
/* Interpreter command to boot an arbitrary ELF image from memory */
int do_bootelf(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
{
@@ -114,7 +116,7 @@ int do_bootvx(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
unsigned long bootaddr = 0; /* Address to put the bootline */
char *bootline; /* Text of the bootline */
char *tmp; /* Temporary char pointer */
char build_buf[128]; /* Buffer for building the bootline */
char build_buf[BOOTLINE_BUF_LEN]; /* Buffer for building the bootline */
int ptr = 0;
#ifdef CONFIG_X86
ulong base;
@@ -226,7 +228,7 @@ int do_bootvx(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
if (!bootline) {
tmp = env_get("bootdev");
if (tmp) {
strcpy(build_buf, tmp);
strlcpy(build_buf, tmp, BOOTLINE_BUF_LEN);
ptr = strlen(tmp);
} else {
printf("## VxWorks boot device not specified\n");