Commit 149c21b098dafc5a2ae619555a844e8d0a9523f6
Committed by
Tom Rini
1 parent
4807c40c2f
Exists in
smarc_8mq_lf_v2020.04
and in
11 other branches
mtdparts: fixed buffer overflow bug
In the case that there was no name defined for a partition the code assumes that name_len is 22 and therefore allocates exactly that space for a dummy name. But the function sprintf() first resolves "0x%08llx@0x%08llx" to a string that is longer than 22 bytes. This leads to a buffer overflow. The replacement function snprintf() limits the copied bytes to name_len and therefore avoids the buffer overflow. Signed-off-by: Kay Potthoff <Kay.Potthoff@microsys.de>
Showing 1 changed file with 1 additions and 1 deletions Side-by-side Diff
cmd/mtdparts.c
... | ... | @@ -690,7 +690,7 @@ |
690 | 690 | part->auto_name = 0; |
691 | 691 | } else { |
692 | 692 | /* auto generated name in form of size@offset */ |
693 | - sprintf(part->name, "0x%08llx@0x%08llx", size, offset); | |
693 | + snprintf(part->name, name_len, "0x%08llx@0x%08llx", size, offset); | |
694 | 694 | part->auto_name = 1; |
695 | 695 | } |
696 | 696 |