* [PATCH master 2/3] common: readline: fix possible buffer overflows
2021-03-22 6:55 [PATCH master 1/3] commands: readline: fix memory leak on wrong usage Ahmad Fatoum
@ 2021-03-22 6:55 ` Ahmad Fatoum
2021-03-22 6:55 ` [PATCH master 3/3] sandbox: fix use of initialized variable in error path Ahmad Fatoum
2021-03-22 9:18 ` [PATCH master 1/3] commands: readline: fix memory leak on wrong usage Sascha Hauer
2 siblings, 0 replies; 4+ messages in thread
From: Ahmad Fatoum @ 2021-03-22 6:55 UTC (permalink / raw)
To: barebox; +Cc: Ahmad Fatoum
Entering very long lines can crash the readline prompt due to missing
NUL terminator. Make sure we don't exceed CONFIG_CBSIZE to avoid this.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
commands/readline.c | 2 +-
common/hush.c | 2 +-
common/parser.c | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/commands/readline.c b/commands/readline.c
index 7933a58c08b4..57c8fbd7bc80 100644
--- a/commands/readline.c
+++ b/commands/readline.c
@@ -19,7 +19,7 @@ static int do_readline(int argc, char *argv[])
command_slice_release();
- if (readline(argv[1], buf, CONFIG_CBSIZE) < 0) {
+ if (readline(argv[1], buf, CONFIG_CBSIZE - 1) < 0) {
command_slice_acquire();
free(buf);
return COMMAND_ERROR;
diff --git a/common/hush.c b/common/hush.c
index 763e6cf74bbc..0475401321d1 100644
--- a/common/hush.c
+++ b/common/hush.c
@@ -451,7 +451,7 @@ static void get_user_input(struct in_str *i)
command_slice_release();
- n = readline(prompt, console_buffer, CONFIG_CBSIZE);
+ n = readline(prompt, console_buffer, CONFIG_CBSIZE - 1);
command_slice_acquire();
diff --git a/common/parser.c b/common/parser.c
index fb9ef42e7fab..584d4b0efece 100644
--- a/common/parser.c
+++ b/common/parser.c
@@ -270,7 +270,7 @@ int run_shell(void)
login();
for (;;) {
- len = readline (CONFIG_PROMPT, console_buffer, CONFIG_CBSIZE);
+ len = readline (CONFIG_PROMPT, console_buffer, CONFIG_CBSIZE - 1);
if (len > 0)
strcpy (lastcommand, console_buffer);
--
2.29.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH master 3/3] sandbox: fix use of initialized variable in error path
2021-03-22 6:55 [PATCH master 1/3] commands: readline: fix memory leak on wrong usage Ahmad Fatoum
2021-03-22 6:55 ` [PATCH master 2/3] common: readline: fix possible buffer overflows Ahmad Fatoum
@ 2021-03-22 6:55 ` Ahmad Fatoum
2021-03-22 9:18 ` [PATCH master 1/3] commands: readline: fix memory leak on wrong usage Sascha Hauer
2 siblings, 0 replies; 4+ messages in thread
From: Ahmad Fatoum @ 2021-03-22 6:55 UTC (permalink / raw)
To: barebox; +Cc: Ahmad Fatoum
fd could be uninitialized in some error paths. Give it a value that
close can be called on without adverse effect.
Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
---
arch/sandbox/os/common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/sandbox/os/common.c b/arch/sandbox/os/common.c
index fd75cc04cc16..d09604af1400 100644
--- a/arch/sandbox/os/common.c
+++ b/arch/sandbox/os/common.c
@@ -321,7 +321,7 @@ int linux_open_hostfile(struct hf_info *hf)
{
char *buf = NULL;
struct stat s;
- int fd;
+ int fd = -1;
printf("add %s %sbacked by file %s%s\n", hf->devname,
hf->filename ? "" : "initially un", hf->filename ?: "",
@@ -408,7 +408,7 @@ int linux_open_hostfile(struct hf_info *hf)
return 0;
err_out:
- if (fd > 0)
+ if (fd >= 0)
close(fd);
free(buf);
return -1;
--
2.29.2
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH master 1/3] commands: readline: fix memory leak on wrong usage
2021-03-22 6:55 [PATCH master 1/3] commands: readline: fix memory leak on wrong usage Ahmad Fatoum
2021-03-22 6:55 ` [PATCH master 2/3] common: readline: fix possible buffer overflows Ahmad Fatoum
2021-03-22 6:55 ` [PATCH master 3/3] sandbox: fix use of initialized variable in error path Ahmad Fatoum
@ 2021-03-22 9:18 ` Sascha Hauer
2 siblings, 0 replies; 4+ messages in thread
From: Sascha Hauer @ 2021-03-22 9:18 UTC (permalink / raw)
To: Ahmad Fatoum; +Cc: barebox
On Mon, Mar 22, 2021 at 07:55:25AM +0100, Ahmad Fatoum wrote:
> Later error-handling frees buf, but the first early exit doesn't.
> Move buf beyond it to fix the memory leak.
>
> Signed-off-by: Ahmad Fatoum <a.fatoum@pengutronix.de>
> ---
Applied, thanks
Sascha
> commands/readline.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/commands/readline.c b/commands/readline.c
> index 403ac8563a36..7933a58c08b4 100644
> --- a/commands/readline.c
> +++ b/commands/readline.c
> @@ -10,11 +10,13 @@
>
> static int do_readline(int argc, char *argv[])
> {
> - char *buf = xzalloc(CONFIG_CBSIZE);
> + char *buf;
>
> if (argc < 3)
> return COMMAND_ERROR_USAGE;
>
> + buf = xzalloc(CONFIG_CBSIZE);
> +
> command_slice_release();
>
> if (readline(argv[1], buf, CONFIG_CBSIZE) < 0) {
> --
> 2.29.2
>
>
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
^ permalink raw reply [flat|nested] 4+ messages in thread