From 149c21b098dafc5a2ae619555a844e8d0a9523f6 Mon Sep 17 00:00:00 2001 From: Kay Potthoff Date: Tue, 17 Jul 2018 08:19:39 +0200 Subject: [PATCH] mtdparts: fixed buffer overflow bug In the case that there was no name defined for a partition the code assumes that name_len is 22 and therefore allocates exactly that space for a dummy name. But the function sprintf() first resolves "0x%08llx@0x%08llx" to a string that is longer than 22 bytes. This leads to a buffer overflow. The replacement function snprintf() limits the copied bytes to name_len and therefore avoids the buffer overflow. Signed-off-by: Kay Potthoff --- cmd/mtdparts.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c index c401009133..0da3afd75f 100644 --- a/cmd/mtdparts.c +++ b/cmd/mtdparts.c @@ -690,7 +690,7 @@ static int part_parse(const char *const partdef, const char **ret, struct part_i part->auto_name = 0; } else { /* auto generated name in form of size@offset */ - sprintf(part->name, "0x%08llx@0x%08llx", size, offset); + snprintf(part->name, name_len, "0x%08llx@0x%08llx", size, offset); part->auto_name = 1; }