From: Kay Potthoff Date: Tue, 17 Jul 2018 06:19:39 +0000 (+0200) Subject: mtdparts: fixed buffer overflow bug X-Git-Url: http://git.dujemihanovic.xyz/img/sics.gif?a=commitdiff_plain;h=149c21b098dafc5a2ae619555a844e8d0a9523f6;p=u-boot.git mtdparts: fixed buffer overflow bug In the case that there was no name defined for a partition the code assumes that name_len is 22 and therefore allocates exactly that space for a dummy name. But the function sprintf() first resolves "0x%08llx@0x%08llx" to a string that is longer than 22 bytes. This leads to a buffer overflow. The replacement function snprintf() limits the copied bytes to name_len and therefore avoids the buffer overflow. Signed-off-by: Kay Potthoff --- diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c index c401009133..0da3afd75f 100644 --- a/cmd/mtdparts.c +++ b/cmd/mtdparts.c @@ -690,7 +690,7 @@ static int part_parse(const char *const partdef, const char **ret, struct part_i part->auto_name = 0; } else { /* auto generated name in form of size@offset */ - sprintf(part->name, "0x%08llx@0x%08llx", size, offset); + snprintf(part->name, name_len, "0x%08llx@0x%08llx", size, offset); part->auto_name = 1; }