[U-Boot] [PATCH v2 2/2] image: Protect against overflow in unknown_msg()

Siarhei Siamashka siarhei.siamashka at gmail.com
Fri Oct 28 03:22:57 CEST 2016


On Thu, 27 Oct 2016 18:38:40 -0600
Simon Glass <sjg at chromium.org> wrote:

> Coverity complains that this can overflow. If we later increase the size
> of one of the strings in the table, it could happen.
> 
> Adjust the code to protect against this.
> 
> Signed-off-by: Simon Glass <sjg at chromium.org>
> Reported-by: Coverity (CID: 150964)
> ---
> 
> Changes in v2:
> - Drop unwanted #include
> 
>  common/image.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/common/image.c b/common/image.c
> index 0e86c13..4255267 100644
> --- a/common/image.c
> +++ b/common/image.c
> @@ -590,7 +590,7 @@ static const char *unknown_msg(enum ih_category category)
>  	static char msg[30];
>  
>  	strcpy(msg, "Unknown ");
> -	strcat(msg, table_info[category].desc);
> +	strncat(msg, table_info[category].desc, sizeof(msg) - 1);

"man strncat" on my system says:

       char *strncat(char *dest, const char *src, size_t n);

       ...

       If src contains n or more bytes, strncat() writes n+1 bytes to
       dest (n from src plus the terminating null byte).  Therefore,
       the size of dest must be at least strlen(dest)+n+1.

>  
>  	return msg;
>  }


-- 
Best regards,
Siarhei Siamashka


More information about the U-Boot mailing list