A large enough argument to the --port option could cause a string buffer to be not NULL terminated because grub_strncpy() does not guarantee NULL termination if copied string is longer than max characters to copy.
Fixes: 712309eaae04 (term/serial: Use grub_strncpy() instead of grub_snprintf() when only copying string) Signed-off-by: Glenn Washburn <developm...@efficientek.com> --- grub-core/term/serial.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/grub-core/term/serial.c b/grub-core/term/serial.c index 869555430153..8260dcb7a87a 100644 --- a/grub-core/term/serial.c +++ b/grub-core/term/serial.c @@ -257,7 +257,10 @@ grub_cmd_serial (grub_extcmd_context_t ctxt, int argc, char **args) { if (grub_strncmp (state[OPTION_PORT].arg, "mmio,", sizeof ("mmio,") - 1) == 0 || grub_strncmp (state[OPTION_PORT].arg, "pci,", sizeof ("pci,") - 1) == 0) - grub_strncpy (pname, state[1].arg, sizeof (pname)); + { + grub_strncpy (pname, state[1].arg, sizeof (pname)); + pname[sizeof (pname) - 1] = '\0'; + } else grub_snprintf (pname, sizeof (pname), "port%lx", grub_strtoul (state[1].arg, 0, 0)); -- 2.34.1 _______________________________________________ Grub-devel mailing list Grub-devel@gnu.org https://lists.gnu.org/mailman/listinfo/grub-devel