mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH 1/2] readline: Fix potential buffer overflow
@ 2016-01-05  8:25 Sascha Hauer
  2016-01-05  8:25 ` [PATCH 2/2] readline: Fix potential buffer overflow in command history Sascha Hauer
  0 siblings, 1 reply; 2+ messages in thread
From: Sascha Hauer @ 2016-01-05  8:25 UTC (permalink / raw)
  To: Barebox List

cread_add_char doesn't take the trailing '\0' into account, so adding
it at the end of readline can overflow the buffer.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 lib/readline.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/readline.c b/lib/readline.c
index c007e10..4c9bb76 100644
--- a/lib/readline.c
+++ b/lib/readline.c
@@ -150,7 +150,7 @@ static void cread_add_char(char ichar, int insert, unsigned long *num,
 
 	/* room ??? */
 	if (insert || *num == *eol_num) {
-		if (*eol_num > len - 1) {
+		if (*eol_num > len - 2) {
 			getcmd_cbeep();
 			return;
 		}
-- 
2.6.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [PATCH 2/2] readline: Fix potential buffer overflow in command history
  2016-01-05  8:25 [PATCH 1/2] readline: Fix potential buffer overflow Sascha Hauer
@ 2016-01-05  8:25 ` Sascha Hauer
  0 siblings, 0 replies; 2+ messages in thread
From: Sascha Hauer @ 2016-01-05  8:25 UTC (permalink / raw)
  To: Barebox List

Cursor up copies the last line into the buffer without checking if it
fits into the current buffer. Fix this using safe_strncpy.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 lib/readline.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/readline.c b/lib/readline.c
index 4c9bb76..cac9670 100644
--- a/lib/readline.c
+++ b/lib/readline.c
@@ -1,6 +1,7 @@
 #include <common.h>
 #include <readkey.h>
 #include <init.h>
+#include <libbb.h>
 #include <xfuncs.h>
 #include <complete.h>
 #include <linux/ctype.h>
@@ -321,7 +322,7 @@ int readline(const char *prompt, char *buf, int len)
 			ERASE_TO_EOL();
 
 			/* copy new line into place and display */
-			strcpy(buf, hline);
+			safe_strncpy(buf, hline, len);
 			eol_num = strlen(buf);
 			REFRESH_TO_EOL();
 			continue;
-- 
2.6.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-01-05  8:25 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-05  8:25 [PATCH 1/2] readline: Fix potential buffer overflow Sascha Hauer
2016-01-05  8:25 ` [PATCH 2/2] readline: Fix potential buffer overflow in command history Sascha Hauer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox