CTCaer/switch-l4t-atf
1
0
Fork 0
mirror of https://github.com/CTCaer/switch-l4t-atf.git synced 2024-11-23 09:49:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix(fdt): fix OOB write in uuid parsing function

Browse Source 
The function read_uuid() zeroes the UUID destination buffer
on error. However, it mistakenly uses the dest pointer
that has been incremented many times during the parsing,
leading to an out-of-bounds write.

To fix this, retain a pointer to the start of the buffer,
and use this when clearing it instead.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
Change-Id: Iee8857be5d3f383ca2eab86cde99a43bf606f306
This commit is contained in:
David Horstmann 2021-07-26 16:31:42 +01:00
parent f98c0bea9c
commit d0d642450f
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
common/uuid.c
View File

@ -73,6 +73,7 @@ static int read_hex(uint8_t *dest, char *hex_src, unsigned int hex_src_len)
int read_uuid(uint8_t *dest, char *uuid)
{
int err;
uint8_t *dest_start = dest;
/* Check that we have enough characters */
if (strnlen(uuid, UUID_STRING_LENGTH) != UUID_STRING_LENGTH) {
@ -124,7 +125,7 @@ int read_uuid(uint8_t *dest, char *uuid)
if (err < 0) {
WARN("Error parsing UUID\n");
/* Clear the buffer on error */
memset((void *)dest, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
memset((void *)dest_start, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
return -EINVAL;
}