subject:"\[PATCH 05\/10\] env\: Check for terminating null\-byte in env

Re: [PATCH 05/10] env: Check for terminating null-byte in env_match()

2021-10-13 Thread Marek Behún

On Tue, 12 Oct 2021 13:04:56 +0200
Marek Behún  wrote:

> - while (*s1 == env_get_char(i2++))
> + while (*s1 != '\0' && *s1 == env_get_char(i2++))

This check has to be done in the other order:
  while (*s1 == env_get_char(i2++) && *s1 != '\0')

so that i2 gets incremented even if *s1 == '\0'.

Will be fixed in v2.

[PATCH 05/10] env: Check for terminating null-byte in env_match()

2021-10-12 Thread Marek Behún

From: Marek Behún 

There is a possible overflow in env_match(): if environment contains
a terminating null-byte before '=' character (i.e. environment is
broken), the env_match() function can access data after the terminating
null-byte from parameter pointer.

Example: if env_get_char() returns characters from string array
"abc\0def\0" and env_match("abc", 0) is called, the function will access
at least one byte after the end of the "abc" literal.

Signed-off-by: Marek Behún 
---
 cmd/nvedit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cmd/nvedit.c b/cmd/nvedit.c
index e2e8a38b5d..a516491832 100644
--- a/cmd/nvedit.c
+++ b/cmd/nvedit.c
@@ -711,7 +711,7 @@ static int env_match(uchar *s1, int i2)
if (s1 == NULL || *s1 == '\0')
return -1;
 
-   while (*s1 == env_get_char(i2++))
+   while (*s1 != '\0' && *s1 == env_get_char(i2++))
if (*s1++ == '=')
return i2;
 
-- 
2.32.0

Re: [PATCH 05/10] env: Check for terminating null-byte in env_match()

[PATCH 05/10] env: Check for terminating null-byte in env_match()

2 matches

Site Navigation

Mail list logo

Footer information