On Fri, 2021-07-30 at 10:04 -0400, Sean Anderson wrote: > On 7/30/21 8:23 AM, Matthias Schiffer wrote: > > strlcat() need to be passed the full buffer length. The incorrect call > > caused truncation of partition names for fastboot_raw_partition_... and > > fastboot_partition_alias_... env lookup to much less than PART_NAME_LEN. > > > > Fixes: 69a752983171 ("fastboot: Fix possible buffer overrun") > > Signed-off-by: Matthias Schiffer <matthias.schif...@ew.tq-group.com> > > --- > > drivers/fastboot/fb_mmc.c | 4 ++-- > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > diff --git a/drivers/fastboot/fb_mmc.c b/drivers/fastboot/fb_mmc.c > > index 2f3837e559..33fd6c21af 100644 > > --- a/drivers/fastboot/fb_mmc.c > > +++ b/drivers/fastboot/fb_mmc.c > > @@ -40,7 +40,7 @@ static int raw_part_get_info_by_name(struct blk_desc > > *dev_desc, > > > > /* check for raw partition descriptor */ > > strcpy(env_desc_name, "fastboot_raw_partition_"); > > - strlcat(env_desc_name, name, PART_NAME_LEN); > > + strlcat(env_desc_name, name, sizeof(env_desc_name)); > > raw_part_desc = strdup(env_get(env_desc_name)); > > if (raw_part_desc == NULL) > > return -ENODEV; > > @@ -114,7 +114,7 @@ static int part_get_info_by_name_or_alias(struct > > blk_desc **dev_desc, > > > > /* check for alias */ > > strcpy(env_alias_name, "fastboot_partition_alias_"); > > - strlcat(env_alias_name, name, PART_NAME_LEN); > > + strlcat(env_alias_name, name, sizeof(env_alias_name)); > > aliased_part_name = env_get(env_alias_name); > > if (aliased_part_name != NULL) > > ret = do_get_part_info(dev_desc, aliased_part_name, > > > > Reviewed-by: Sean Anderson <sean...@gmail.com>
Hi, what's the status here? It would be great to have this bugfix in the next release. Regards, Matthias