mtdparts: fixed buffer overflow bug

In the case that there was no name defined for a partition the code assumes that name_len is 22 and therefore allocates exactly that space for a dummy name. But the function sprintf() first resolves "0x%08llx@0x%08llx" to a string that is longer than 22 bytes. This leads to a buffer overflow. The replacement function snprintf() limits the copied bytes to name_len and therefore avoids the buffer overflow. Signed-off-by: Kay Potthoff <Kay.Potthoff@microsys.de>

mtdparts: fixed buffer overflow bug
In the case that there was no name defined for a partition the code assumes that name_len is 22 and therefore allocates exactly that space for a dummy name. But the function sprintf() first resolves "0x%08llx@0x%08llx" to a string that is longer than 22 bytes. This leads to a buffer overflow. The replacement function snprintf() limits the copied bytes to name_len and therefore avoids the buffer overflow. Signed-off-by: Kay Potthoff <Kay.Potthoff@microsys.de>
Kay Potthoff · Tom Rini
1 parent 4807c40c2f
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
cmd/mtdparts.c
@@ -690,7 +690,7 @@
 		part->auto_name = 0;
 	} else {
 		/* auto generated name in form of size@offset */
-		sprintf(part->name, "0x%08llx@0x%08llx", size, offset);
+		snprintf(part->name, name_len, "0x%08llx@0x%08llx", size, offset);
 		part->auto_name = 1;
 	}
...	...	@@ -690,7 +690,7 @@
690	690	part->auto_name = 0;
691	691	} else {
692	692	/* auto generated name in form of size@offset */
693		- sprintf(part->name, "0x%08llx@0x%08llx", size, offset);
	693	+ snprintf(part->name, name_len, "0x%08llx@0x%08llx", size, offset);
694	694	part->auto_name = 1;
695	695	}
696	696