From d0d642450f1f3a0f43e0e156ef57a0c460dd48cf Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Mon, 26 Jul 2021 16:31:42 +0100 Subject: [PATCH] fix(fdt): fix OOB write in uuid parsing function The function read_uuid() zeroes the UUID destination buffer on error. However, it mistakenly uses the dest pointer that has been incremented many times during the parsing, leading to an out-of-bounds write. To fix this, retain a pointer to the start of the buffer, and use this when clearing it instead. Signed-off-by: David Horstmann Change-Id: Iee8857be5d3f383ca2eab86cde99a43bf606f306 --- common/uuid.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/common/uuid.c b/common/uuid.c index dd3c7b02f..ac6db50a0 100644 --- a/common/uuid.c +++ b/common/uuid.c @@ -73,6 +73,7 @@ static int read_hex(uint8_t *dest, char *hex_src, unsigned int hex_src_len) int read_uuid(uint8_t *dest, char *uuid) { int err; + uint8_t *dest_start = dest; /* Check that we have enough characters */ if (strnlen(uuid, UUID_STRING_LENGTH) != UUID_STRING_LENGTH) { @@ -124,7 +125,7 @@ int read_uuid(uint8_t *dest, char *uuid) if (err < 0) { WARN("Error parsing UUID\n"); /* Clear the buffer on error */ - memset((void *)dest, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t)); + memset((void *)dest_start, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t)); return -EINVAL; }