Re: [PATCH] efi: fix out-of-bounds null overwrite vulnerability

From: Matt Fleming
Date: Mon Jan 11 2016 - 09:16:18 EST

Next message: Aniroop Mathur: "Re: [PATCH] [v4]Input: evdev - drop partial events after emptying the buffer"
Previous message: Wang Nan: "[PATCH 03/53] perf tools: Set parallel making options build-test"
In reply to: Luck, Tony: "RE: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Next in thread: Luck, Tony: "RE: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 08 Jan, at 04:47:17PM, Luck, Tony wrote:
> > But this function doesn't use snprintf(), it uses scnprintf() which
> > returns the number of characters written into buf and, because
> > scnprintf() largely follows vnsprintf(), it will never write more than
> > 'size' bytes into the buffer.
>
> if (bank && device)
> n = snprintf(msg, len, "DIMM location: %s %s ", bank, device);
>
> That looks like "snprintf", not "scnprintf" to me :-)

Oops! Can you believe I looked at the wrong function?

> What about using:
>
> msg[len] = '\0';
>
> to guarantee NUL termination?

But that may leave garbage bytes in 'rcd_decode_str' in the case where
the string isn't as long as 'len'.

How about memset()'ing the buffer to zero and deleting the NUL
termination line?

Next message: Aniroop Mathur: "Re: [PATCH] [v4]Input: evdev - drop partial events after emptying the buffer"
Previous message: Wang Nan: "[PATCH 03/53] perf tools: Set parallel making options build-test"
In reply to: Luck, Tony: "RE: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Next in thread: Luck, Tony: "RE: [PATCH] efi: fix out-of-bounds null overwrite vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]