[PATCH 1/1] cli: avoid buffer overrun
Heinrich Schuchardt
heinrich.schuchardt at canonical.com
Tue May 2 04:34:09 CEST 2023
Invoking the sandbox with
/u-boot -c ⧵0xef⧵0xbf⧵0xbd
results in a segmentation fault.
Function b_getch() retrieves a character from the input stream. This
character may be > 0x7f. If type char is signed, static_get() will
return a negative number and in parse_stream() we will use that
negative number as an index for array map[] resulting in a buffer
overflow.
Reported-by: Harry Lockyer <harry_lockyer at tutanota.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt at canonical.com>
---
common/cli_hush.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common/cli_hush.c b/common/cli_hush.c
index 1ad7a509df..77df42428b 100644
--- a/common/cli_hush.c
+++ b/common/cli_hush.c
@@ -324,7 +324,7 @@ typedef struct {
/* I can almost use ordinary FILE *. Is open_memstream() universally
* available? Where is it documented? */
struct in_str {
- const char *p;
+ const unsigned char *p;
#ifndef __U_BOOT__
char peek_buf[2];
#endif
--
2.39.2
More information about the U-Boot
mailing list