fix(fdt): fix OOB write in uuid parsing function
The function read_uuid() zeroes the UUID destination buffer on error. However, it mistakenly uses the dest pointer that has been incremented many times during the parsing, leading to an out-of-bounds write. To fix this, retain a pointer to the start of the buffer, and use this when clearing it instead. Signed-off-by: David Horstmann <david.horstmann@arm.com> Change-Id: Iee8857be5d3f383ca2eab86cde99a43bf606f306
This commit is contained in:
parent
f98c0bea9c
commit
d0d642450f
|
@ -73,6 +73,7 @@ static int read_hex(uint8_t *dest, char *hex_src, unsigned int hex_src_len)
|
||||||
int read_uuid(uint8_t *dest, char *uuid)
|
int read_uuid(uint8_t *dest, char *uuid)
|
||||||
{
|
{
|
||||||
int err;
|
int err;
|
||||||
|
uint8_t *dest_start = dest;
|
||||||
|
|
||||||
/* Check that we have enough characters */
|
/* Check that we have enough characters */
|
||||||
if (strnlen(uuid, UUID_STRING_LENGTH) != UUID_STRING_LENGTH) {
|
if (strnlen(uuid, UUID_STRING_LENGTH) != UUID_STRING_LENGTH) {
|
||||||
|
@ -124,7 +125,7 @@ int read_uuid(uint8_t *dest, char *uuid)
|
||||||
if (err < 0) {
|
if (err < 0) {
|
||||||
WARN("Error parsing UUID\n");
|
WARN("Error parsing UUID\n");
|
||||||
/* Clear the buffer on error */
|
/* Clear the buffer on error */
|
||||||
memset((void *)dest, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
|
memset((void *)dest_start, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue