[PATCH v2 1/4] fs: prevent integer overflow in fs.c do_mv
Simon Glass
sjg at chromium.org
Thu Jan 8 20:58:58 CET 2026
On Wed, 31 Dec 2025 at 06:18, Timo tp Preißl <t.preissl at proton.me> wrote:
>
> An integer overflow in size calculations could lead to
> under-allocation and potential heap buffer overflow.
>
> Signed-off-by: Timo tp Preißl <t.preissl at proton.me>
> ---
> fs/fs.c | 16 +++++++++++++---
> 1 file changed, 13 insertions(+), 3 deletions(-)
Reviewed-by: Simon Glass <simon.glass at canonical.com>
>
> diff --git a/fs/fs.c b/fs/fs.c
> index c7706d9af85..319c55c440a 100644
> --- a/fs/fs.c
> +++ b/fs/fs.c
> @@ -1059,15 +1059,25 @@ int do_mv(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[],
> */
> if (dirs) {
> char *src_name = strrchr(src, '/');
> - int dst_len;
>
> if (src_name)
> src_name += 1;
> else
> src_name = src;
>
> - dst_len = strlen(dst);
> - new_dst = calloc(1, dst_len + strlen(src_name) + 2);
> + size_t dst_len = strlen(dst);
> + size_t src_len = strlen(src_name);
> + size_t total;
> +
> + if (__builtin_add_overflow(dst_len, src_len, &total) ||
> + __builtin_add_overflow(total, 2, &total)) {
> + return 0;
> + }
> +
> + new_dst = calloc(1, total);
> + if (!new_dst)
> + return 0;
> +
> strcpy(new_dst, dst);
>
> /* If there is already a trailing slash, don't add another */
> --
> 2.43.0
>
>
More information about the U-Boot
mailing list