In the case that there was no name defined for a partition the
code assumes that name_len is 22 and therefore allocates exactly
that space for a dummy name. But the function sprintf() first
resolves "0x%08llx@0x%08llx" to a string that is longer than 22
bytes. This leads to a buffer overflow. The replacement function
snprintf() limits the copied bytes to name_len and therefore
avoids the buffer overflow.
Signed-off-by: Kay Potthoff <kay.potth...@microsys.de>
---
cmd/mtdparts.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/cmd/mtdparts.c b/cmd/mtdparts.c
index 9bc977450cf8..d0cda1bea400 100644
--- a/cmd/mtdparts.c
+++ b/cmd/mtdparts.c
@@ -691,7 +691,7 @@ static int part_parse(const char *const partdef, const char
**ret, struct part_i
part->auto_name = 0;
} else {
/* auto generated name in form of size@offset */
- sprintf(part->name, "0x%08llx@0x%08llx", size, offset);
+ snprintf(part->name, name_len, "0x%08llx@0x%08llx", size,
offset);
part->auto_name = 1;
}
--
2.17.0
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
https://lists.denx.de/listinfo/u-boot
