[PATCH] fs: fat: Prevent possible buffer overflow
Andrew Goodbody
andrew.goodbody at linaro.org
Fri Jul 18 11:17:30 CEST 2025
On 17/07/2025 17:57, Martin Husemann wrote:
> On Thu, Jul 17, 2025 at 04:38:50PM +0100, Andrew Goodbody wrote:
>> The original use of strcpy suggests that the string must be \0 terminated. I
>> will admit that I do not know the code well, is dir->itr.name guaranteed to
>> be a known fixed size?
>
> You are right, the iterator's name pointer always points to a \0 terminated
> string, but also always points to one shorter than FS_DIRENT_NAME_LEN.
>
> The on-disk fields are not \0 terminated, but the code extracting them
> deals with it properly. If the length would overflow, a NULL instead
> of a dir_entry * is returned, so while it is not obvious, AFAICT the
> original code is fine.
>
> Martin
Thanks Martin, we can drop this patch.
Andrew
More information about the U-Boot
mailing list