RE: [PATCH] efi: fix out-of-bounds null overwrite vulnerability

From: Luck, Tony
Date: Fri Jan 08 2016 - 11:47:24 EST

Next message: Mark Rutland: "Re: [PATCH 01/23] devicetree: bindings: hisi_sas: add v2 HW bindings"
Previous message: Arnd Bergmann: "Re: [PATCH v6 14/21] arm64:ilp32: add sys_ilp32.c and a separate table (in entry.S) to use it"
In reply to: Matt Fleming: "Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Next in thread: Matt Fleming: "Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> But this function doesn't use snprintf(), it uses scnprintf() which
> returns the number of characters written into buf and, because
> scnprintf() largely follows vnsprintf(), it will never write more than
> 'size' bytes into the buffer.

if (bank && device)
n = snprintf(msg, len, "DIMM location: %s %s ", bank, device);

That looks like "snprintf", not "scnprintf" to me :-)

What about using:

msg[len] = '\0';

to guarantee NUL termination?

-Tony

Next message: Mark Rutland: "Re: [PATCH 01/23] devicetree: bindings: hisi_sas: add v2 HW bindings"
Previous message: Arnd Bergmann: "Re: [PATCH v6 14/21] arm64:ilp32: add sys_ilp32.c and a separate table (in entry.S) to use it"
In reply to: Matt Fleming: "Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Next in thread: Matt Fleming: "Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]