[PATCH 05/10] env: Check for terminating null-byte in env_match()
Marek Behún
kabel at kernel.org
Tue Oct 12 13:04:56 CEST 2021
From: Marek Behún <marek.behun at nic.cz>
There is a possible overflow in env_match(): if environment contains
a terminating null-byte before '=' character (i.e. environment is
broken), the env_match() function can access data after the terminating
null-byte from parameter pointer.
Example: if env_get_char() returns characters from string array
"abc\0def\0" and env_match("abc", 0) is called, the function will access
at least one byte after the end of the "abc" literal.
Signed-off-by: Marek Behún <marek.behun at nic.cz>
---
cmd/nvedit.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/nvedit.c b/cmd/nvedit.c
index e2e8a38b5d..a516491832 100644
--- a/cmd/nvedit.c
+++ b/cmd/nvedit.c
@@ -711,7 +711,7 @@ static int env_match(uchar *s1, int i2)
if (s1 == NULL || *s1 == '\0')
return -1;
- while (*s1 == env_get_char(i2++))
+ while (*s1 != '\0' && *s1 == env_get_char(i2++))
if (*s1++ == '=')
return i2;
--
2.32.0
More information about the U-Boot
mailing list