[PATCH 1/4] fs: prevent integer overflow in fs.c do_mv
Timo tp Preißl
t.preissl at proton.me
Mon Dec 29 20:44:25 CET 2025
An integer overflow in size calculations could lead to
under-allocation and potential heap buffer overflow.
Signed-off-by: Timo tp Preißl <t.preissl at proton.me>
---
fs/fs.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/fs/fs.c b/fs/fs.c
index c7706d9af85..319c55c440a 100644
--- a/fs/fs.c
+++ b/fs/fs.c
@@ -1059,15 +1059,25 @@ int do_mv(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[],
*/
if (dirs) {
char *src_name = strrchr(src, '/');
- int dst_len;
if (src_name)
src_name += 1;
else
src_name = src;
- dst_len = strlen(dst);
- new_dst = calloc(1, dst_len + strlen(src_name) + 2);
+ size_t dst_len = strlen(dst);
+ size_t src_len = strlen(src_name);
+ size_t total;
+
+ if (__builtin_add_overflow(dst_len, src_len, &total) ||
+ __builtin_add_overflow(total, 2, &total)) {
+ return 0;
+ }
+
+ new_dst = calloc(1, total);
+ if (!new_dst)
+ return 0;
+
strcpy(new_dst, dst);
/* If there is already a trailing slash, don't add another */
--
2.43.0
More information about the U-Boot
mailing list