[PATCH] kconfig: fix buffer overflow in conf_get_default_confname()
Quentin Schulz
quentin.schulz at cherry.de
Fri Feb 27 17:22:40 CET 2026
Hi Anton,
On 2/26/26 9:58 PM, Anton Moryakov wrote:
> Use snprintf() instead of sprintf() when building the full config path
> to prevent potential buffer overflow.
>
> The function previously used sprintf() to concatenate SRCTREE environment
> variable with the expanded config name into a fixed-size buffer
> fullname[PATH_MAX+1]. Since getenv() can return arbitrarily long strings,
> this could lead to writing beyond the buffer boundary (CWE-120).
>
> Changes:
> - Replace sprintf() with snprintf() with proper size checking
> - Add validation of snprintf() return value to detect truncation
> - Emit conf_warning() if the resulting path exceeds PATH_MAX
> - Return the unprefixed name as fallback on error, preserving behavior
>
> This fixes the static analyzer warning:
> confdata.c:119: buffer overflow via getenv() tainted input
>
> Reported-by: static analyzer Svace
> Signed-off-by: Anton Moryakov <ant.v.moryakov at gmail.com>
Reviewed-by: Quentin Schulz <quentin.schulz at cherry.de>
Thanks!
Quentin
More information about the U-Boot
mailing list