48 lines
1.7 KiB
Diff
48 lines
1.7 KiB
Diff
commit 3f72b8326a2fc9a9dffb4b31d0ce3abf12e24751
|
|
Author: Likhitha Korrapati <likhitha@linux.ibm.com>
|
|
Date: Thu Jan 25 15:44:02 2024 +0530
|
|
|
|
powerpc/nvram: fix segmentation fault issue in print-config
|
|
|
|
print-config option in nvram results in segmentation fault when the
|
|
user provides a very large value.
|
|
|
|
without the patch:
|
|
[root@xxx powerpc-utils]# nvram --print-config=real-mode?
|
|
true
|
|
[root@xxx powerpc-utils]# nvram --print-config=$(perl -e 'p
|
|
rint "A"x1000000')
|
|
Segmentation fault (core dumped)
|
|
|
|
The Segmentation fault occurs because the code tries to access memory
|
|
beyond the bounds of the data at index varlen. varlen is the length of
|
|
the string provided by the user.
|
|
|
|
This patch adds a condition to check whether the length of the data is
|
|
greater than varlen to prevent accessing out of bounds.
|
|
|
|
with the patch:
|
|
[root@xxx powerpc-utils]# ./src/nvram --print-config=real-m
|
|
ode?
|
|
true
|
|
[root@xxx powerpc-utils]# ./src/nvram --print-config=$(perl
|
|
-e 'print "A"x1000000')
|
|
|
|
Reported-by: Shirisha Ganta <shirisha@linux.ibm.com>
|
|
Signed-off-by: Likhitha Korrapati <likhitha@linux.ibm.com>
|
|
Signed-off-by: Tyrel Datwyler <tyreld@linux.ibm.com>
|
|
|
|
diff --git a/src/nvram.c b/src/nvram.c
|
|
index f051e9c..095e747 100644
|
|
--- a/src/nvram.c
|
|
+++ b/src/nvram.c
|
|
@@ -1280,7 +1280,7 @@ print_of_config(struct nvram *nvram, char *config_var, char *pname,
|
|
|
|
data = (char *)phead + sizeof(*phead);
|
|
while (*data != '\0') {
|
|
- if ((data[varlen] == '=') &&
|
|
+ if (strlen(data) > varlen && (data[varlen] == '=') &&
|
|
strncmp(config_var, data, varlen) == 0) {
|
|
printf("%s%c", data + varlen + 1, terminator);
|
|
rc = 0;
|