tmp_buf is populated by the completion callback and is not guaranteed
to be NUL-terminated.
The code already accounts for this when computing tmp_size with
strnlen(tmp_buf, sizeof(tmp_buf)). However, another loop in the same
path still walks tmp_buf until a NUL byte is found, without checking
the buffer limit.
If the callback writes a full-sized non-NUL-terminated string, the loop
may read past the end of tmp_buf.
Fix this by bounding the iteration with sizeof(tmp_buf).
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: af75078fece3 ("first public release")
Cc: [email protected]
Signed-off-by: Daniil Iskhakov <[email protected]>
---
v2:
- Resent to [email protected] because v1 was accidentally sent only to
maintainers.
Cc: [email protected]
Cc: [email protected]
---
lib/cmdline/cmdline_rdline.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/cmdline/cmdline_rdline.c b/lib/cmdline/cmdline_rdline.c
index ee070f0af3..bc91dc6002 100644
--- a/lib/cmdline/cmdline_rdline.c
+++ b/lib/cmdline/cmdline_rdline.c
@@ -445,7 +445,7 @@ rdline_char_in(struct rdline *rdl, char c)
rdline_puts(rdl, "\r\n");
while (ret) {
rdl->write_char(rdl, ' ');
- for (i=0 ; i < sizeof(tmp_buf) &&
tmp_buf[i]; i++)
+ for (i = 0 ; i < tmp_buf[i]; i++)
rdl->write_char(rdl,
tmp_buf[i]);
rdline_puts(rdl, "\r\n");
ret = rdl->complete(rdl, rdl->left_buf,
--
2.43.0
