[PATCH] Fix potential string manipulation overflows
9 views
Skip to first unread message
Pascal Bach
Aug 29, 2018, 9:26:15 AM8/29/18
to efibootg...@googlegroups.com, Pascal Bach
Issues were reported by GCC 8.2 and the stringop-overflow option.
Signed-off-by: Pascal Bach <pasca...@siemens.com>
---
env/env_api_fat.c | 2 +-
env/env_config_file.c | 6 +++---
env/env_disk_utils.c | 4 ++--
env/uservars.c | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/env/env_api_fat.c b/env/env_api_fat.c
index 1795259..120bd10 100644
--- a/env/env_api_fat.c
+++ b/env/env_api_fat.c
@@ -264,7 +264,7 @@ static int bgenv_get_string(char *buffer, uint64_t *type, void *data,
if (!data) {
return strlen(buffer)+1;
}
- strncpy(data, buffer, strlen(buffer)+1);
+ strncpy(data, buffer, strlen(data)+1);
if (type) {
*type = USERVAR_TYPE_STRING_ASCII;
}
diff --git a/env/env_config_file.c b/env/env_config_file.c
index 7f817cb..fc80a65 100644
--- a/env/env_config_file.c
+++ b/env/env_config_file.c
@@ -31,9 +31,9 @@ FILE *open_config_file(CONFIG_PART *cfgpart, char *mode)
return NULL;
}
strncpy(configfilepath, cfgpart->mountpoint,
- strlen(cfgpart->mountpoint) + 1);
- strncat(configfilepath, "/", 1);
- strncat(configfilepath, FAT_ENV_FILENAME, strlen(FAT_ENV_FILENAME));
+ strlen(configfilepath) + 1);
+ strncat(configfilepath, "/", sizeof(configfilepath) - strlen("/") - 1);
+ strncat(configfilepath, FAT_ENV_FILENAME, sizeof(configfilepath) - strlen(FAT_ENV_FILENAME) - 1);
VERBOSE(stdout, "Probing config file at %s.\n", configfilepath);
FILE *config = fopen(configfilepath, mode);
free(configfilepath);
diff --git a/env/env_disk_utils.c b/env/env_disk_utils.c
index fae3812..f2699df 100644
--- a/env/env_disk_utils.c
+++ b/env/env_disk_utils.c
@@ -40,7 +40,7 @@ char *get_mountpoint(char *devpath)
break;
}
strncpy(mntpoint, part->mnt_dir,
- strlen(part->mnt_dir) + 1);
+ strlen(mntpoint) + 1);
return mntpoint;
}
}
@@ -77,7 +77,7 @@ bool mount_partition(CONFIG_PART *cfgpart)
VERBOSE(stderr, "Error, out of memory.\n");
return false;
}
- strncpy(cfgpart->mountpoint, mountpoint, strlen(mountpoint) + 1);
+ strncpy(cfgpart->mountpoint, mountpoint, strlen(cfgpart->mountpoint) + 1);
return true;
}
diff --git a/env/uservars.c b/env/uservars.c
index aa05235..ed721a3 100644
--- a/env/uservars.c
+++ b/env/uservars.c
@@ -78,7 +78,7 @@ void bgenv_serialize_uservar(uint8_t *p, char *key, uint64_t type, void *data,
uint32_t payload_size, data_size;
/* store key */
- strncpy((char *)p, key, strlen(key) + 1);
+ strncpy((char *)p, key, strlen((char *)p) + 1);
p += strlen(key) + 1;
/* store payload_size after key */
--
2.11.0
Signed-off-by: Pascal Bach <pasca...@siemens.com>
---
env/env_api_fat.c | 2 +-
env/env_config_file.c | 6 +++---
env/env_disk_utils.c | 4 ++--
env/uservars.c | 2 +-
4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/env/env_api_fat.c b/env/env_api_fat.c
index 1795259..120bd10 100644
--- a/env/env_api_fat.c
+++ b/env/env_api_fat.c
@@ -264,7 +264,7 @@ static int bgenv_get_string(char *buffer, uint64_t *type, void *data,
if (!data) {
return strlen(buffer)+1;
}
- strncpy(data, buffer, strlen(buffer)+1);
+ strncpy(data, buffer, strlen(data)+1);
if (type) {
*type = USERVAR_TYPE_STRING_ASCII;
}
diff --git a/env/env_config_file.c b/env/env_config_file.c
index 7f817cb..fc80a65 100644
--- a/env/env_config_file.c
+++ b/env/env_config_file.c
@@ -31,9 +31,9 @@ FILE *open_config_file(CONFIG_PART *cfgpart, char *mode)
return NULL;
}
strncpy(configfilepath, cfgpart->mountpoint,
- strlen(cfgpart->mountpoint) + 1);
- strncat(configfilepath, "/", 1);
- strncat(configfilepath, FAT_ENV_FILENAME, strlen(FAT_ENV_FILENAME));
+ strlen(configfilepath) + 1);
+ strncat(configfilepath, "/", sizeof(configfilepath) - strlen("/") - 1);
+ strncat(configfilepath, FAT_ENV_FILENAME, sizeof(configfilepath) - strlen(FAT_ENV_FILENAME) - 1);
VERBOSE(stdout, "Probing config file at %s.\n", configfilepath);
FILE *config = fopen(configfilepath, mode);
free(configfilepath);
diff --git a/env/env_disk_utils.c b/env/env_disk_utils.c
index fae3812..f2699df 100644
--- a/env/env_disk_utils.c
+++ b/env/env_disk_utils.c
@@ -40,7 +40,7 @@ char *get_mountpoint(char *devpath)
break;
}
strncpy(mntpoint, part->mnt_dir,
- strlen(part->mnt_dir) + 1);
+ strlen(mntpoint) + 1);
return mntpoint;
}
}
@@ -77,7 +77,7 @@ bool mount_partition(CONFIG_PART *cfgpart)
VERBOSE(stderr, "Error, out of memory.\n");
return false;
}
- strncpy(cfgpart->mountpoint, mountpoint, strlen(mountpoint) + 1);
+ strncpy(cfgpart->mountpoint, mountpoint, strlen(cfgpart->mountpoint) + 1);
return true;
}
diff --git a/env/uservars.c b/env/uservars.c
index aa05235..ed721a3 100644
--- a/env/uservars.c
+++ b/env/uservars.c
@@ -78,7 +78,7 @@ void bgenv_serialize_uservar(uint8_t *p, char *key, uint64_t type, void *data,
uint32_t payload_size, data_size;
/* store key */
- strncpy((char *)p, key, strlen(key) + 1);
+ strncpy((char *)p, key, strlen((char *)p) + 1);
p += strlen(key) + 1;
/* store payload_size after key */
--
2.11.0
Pascal Bach
Aug 30, 2018, 4:18:23 AM8/30/18
to EFI Boot Guard
Never mind. I saw that a similar patch is already in next. (https://github.com/siemens/efibootguard/commit/f33e9b6f177e46ded0f19881fbbefe266fa29ed9)
Is there a timeline when this will be merged to master?
Jan Kiszka
Aug 30, 2018, 10:13:58 AM8/30/18
to [ext] Pascal Bach, EFI Boot Guard
On 2018-08-30 10:18, [ext] Pascal Bach wrote:
> Never mind. I saw that a similar patch is already in next.
> (https://github.com/siemens/efibootguard/commit/f33e9b6f177e46ded0f19881fbbefe266fa29ed9)
>
> Is there a timeline when this will be merged to master?
Usually days, but this pending master merge was simply forgotten. Done now.
> Never mind. I saw that a similar patch is already in next.
> (https://github.com/siemens/efibootguard/commit/f33e9b6f177e46ded0f19881fbbefe266fa29ed9)
>
> Is there a timeline when this will be merged to master?
Thanks,
Jan
>
> On Wednesday, August 29, 2018 at 3:26:15 PM UTC+2, Pascal Bach wrote:
>
> Issues were reported by GCC 8.2 and the stringop-overflow option.
>
> Signed-off-by: Pascal Bach <pasca...@siemens.com
> You received this message because you are subscribed to the Google
> Groups "EFI Boot Guard" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to efibootguard-d...@googlegroups.com
> <mailto:efibootguard-d...@googlegroups.com>.
> To post to this group, send email to efibootg...@googlegroups.com
> <mailto:efibootg...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/efibootguard-dev/08e3ae4f-69ef-4a44-8ca7-e4be10af5bf1%40googlegroups.com
> <https://groups.google.com/d/msgid/efibootguard-dev/08e3ae4f-69ef-4a44-8ca7-e4be10af5bf1%40googlegroups.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout.
--
Siemens AG, Corporate Technology, CT RDA IOT SES-DE
Corporate Competence Center Embedded Linux
Reply all
Reply to author
Forward
0 new messages