On Fri, 2021-07-30 at 10:04 -0400, Sean Anderson wrote:
> On 7/30/21 8:23 AM, Matthias Schiffer wrote:
> > strlcat() need to be passed the full buffer length. The incorrect call
> > caused truncation of partition names for fastboot_raw_partition_... and
> > fastboot_partition_alias_... env lookup to much less than PART_NAME_LEN.
> >
> > Fixes: 69a752983171 ("fastboot: Fix possible buffer overrun")
> > Signed-off-by: Matthias Schiffer <matthias.schif...@ew.tq-group.com>
> > ---
> > drivers/fastboot/fb_mmc.c | 4 ++--
> > 1 file changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/drivers/fastboot/fb_mmc.c b/drivers/fastboot/fb_mmc.c
> > index 2f3837e559..33fd6c21af 100644
> > --- a/drivers/fastboot/fb_mmc.c
> > +++ b/drivers/fastboot/fb_mmc.c
> > @@ -40,7 +40,7 @@ static int raw_part_get_info_by_name(struct blk_desc
> > *dev_desc,
> >
> > /* check for raw partition descriptor */
> > strcpy(env_desc_name, "fastboot_raw_partition_");
> > - strlcat(env_desc_name, name, PART_NAME_LEN);
> > + strlcat(env_desc_name, name, sizeof(env_desc_name));
> > raw_part_desc = strdup(env_get(env_desc_name));
> > if (raw_part_desc == NULL)
> > return -ENODEV;
> > @@ -114,7 +114,7 @@ static int part_get_info_by_name_or_alias(struct
> > blk_desc **dev_desc,
> >
> > /* check for alias */
> > strcpy(env_alias_name, "fastboot_partition_alias_");
> > - strlcat(env_alias_name, name, PART_NAME_LEN);
> > + strlcat(env_alias_name, name, sizeof(env_alias_name));
> > aliased_part_name = env_get(env_alias_name);
> > if (aliased_part_name != NULL)
> > ret = do_get_part_info(dev_desc, aliased_part_name,
> >
>
> Reviewed-by: Sean Anderson <sean...@gmail.com>
Hi,
what's the status here? It would be great to have this bugfix in the
next release.
Regards,
Matthias
