[U-Boot] [PATCH v3 2/2] image: Protect against overflow in unknown_msg()
Simon Glass
sjg at chromium.org
Fri Oct 28 21:41:05 CEST 2016
Hi Tom,
On 28 October 2016 at 11:59, Tom Rini <trini at konsulko.com> wrote:
> On Thu, Oct 27, 2016 at 08:18:39PM -0600, Simon Glass wrote:
>> Coverity complains that this can overflow. If we later increase the size
>> of one of the strings in the table, it could happen.
>>
>> Adjust the code to protect against this.
>>
>> Signed-off-by: Simon Glass <sjg at chromium.org>
>> Reported-by: Coverity (CID: 150964)
>> ---
>>
>> Changes in v3:
>> - Adjust to deal with what strncpy() actually does (I think)
>>
>> Changes in v2:
>> - Drop unwanted #include
>>
>> common/image.c | 6 ++++--
>> 1 file changed, 4 insertions(+), 2 deletions(-)
>>
>> diff --git a/common/image.c b/common/image.c
>> index 0e86c13..016f263 100644
>> --- a/common/image.c
>> +++ b/common/image.c
>> @@ -588,9 +588,11 @@ const table_entry_t *get_table_entry(const table_entry_t *table, int id)
>> static const char *unknown_msg(enum ih_category category)
>> {
>> static char msg[30];
>> + static char unknown_str = "Unknown ";
>>
>> - strcpy(msg, "Unknown ");
>> - strcat(msg, table_info[category].desc);
>> + strcpy(msg, unknown_str);
>> + strncat(msg, table_info[category].desc,
>> + sizeof(msg) - sizeof(unknown_str));
>
> We still need to subtract 1 more here at the end, for the NUL don't we?
I was hoping that the sizeof(msg) would take care of that?
Regards,
Simon
More information about the U-Boot
mailing list