pxe: simplify label_boot()
authorHeinrich Schuchardt <heinrich.schuchardt@canonical.com>
Mon, 15 Nov 2021 18:26:51 +0000 (19:26 +0100)
committerHeinrich Schuchardt <heinrich.schuchardt@canonical.com>
Mon, 18 Jul 2022 15:21:49 +0000 (17:21 +0200)
Coverity CID 131256 indicates a possible buffer overflow in label_boot().
This would only occur if the size of the downloaded file would exceed 4
GiB. But anyway we can simplify the code by using snprintf() and checking
the return value.

Addresses-Coverity-ID: 131256 ("Security best practices violations (STRING_OVERFLOW)")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
Reviewed-by: Artem Lapkin <email2tema@gmail.com>
boot/pxe_utils.c

index b08aee9896bc27a18831371b6150fe85fee14de4..defbe465e40140be9959d5913e3c52e1bd635954 100644 (file)
@@ -532,11 +532,10 @@ static int label_boot(struct pxe_context *ctx, struct pxe_label *label)
                }
 
                initrd_addr_str = env_get("ramdisk_addr_r");
-               strcpy(initrd_filesize, simple_xtoa(size));
-
-               strncpy(initrd_str, initrd_addr_str, 18);
-               strcat(initrd_str, ":");
-               strncat(initrd_str, initrd_filesize, 9);
+               size = snprintf(initrd_str, sizeof(initrd_str), "%s:%lx",
+                               initrd_addr_str, size);
+               if (size >= sizeof(initrd_str))
+                       return 1;
        }
 
        if (get_relfile_envaddr(ctx, label->kernel, "kernel_addr_r",