[PATCH v2 06/13] env: Check for terminating null-byte in env_match()

Marek Behún kabel at kernel.org
Wed Oct 13 17:45:50 CEST 2021


From: Marek Behún <marek.behun at nic.cz>

There is a possible overflow in env_match(): if environment contains
a terminating null-byte before '=' character (i.e. environment is
broken), the env_match() function can access data after the terminating
null-byte from parameter pointer.

Example: if env_get_char() returns characters from string array
"abc\0def\0" and env_match("abc", 0) is called, the function will access
at least one byte after the end of the "abc" literal.

Fix this by checking for terminating null-byte in env_match().

Signed-off-by: Marek Behún <marek.behun at nic.cz>
---
Change since v1:
- check for '\0' only after incrementing i2
---
 cmd/nvedit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/nvedit.c b/cmd/nvedit.c
index e2e8a38b5d..a22445132b 100644
--- a/cmd/nvedit.c
+++ b/cmd/nvedit.c
@@ -711,7 +711,7 @@ static int env_match(uchar *s1, int i2)
 	if (s1 == NULL || *s1 == '\0')
 		return -1;
 
-	while (*s1 == env_get_char(i2++))
+	while (*s1 == env_get_char(i2++) && *s1 != '\0')
 		if (*s1++ == '=')
 			return i2;
 
-- 
2.32.0



More information about the U-Boot mailing list