On Wed, 13 Oct 2021 at 09:46, Marek Behún <ka...@kernel.org> wrote:
>
> From: Marek Behún <marek.be...@nic.cz>
>
> There is a possible overflow in env_match(): if environment contains
> a terminating null-byte before '=' character (i.e. environment is
> broken), the env_match() function can access data after the terminating
> null-byte from parameter pointer.
>
> Example: if env_get_char() returns characters from string array
> "abc\0def\0" and env_match("abc", 0) is called, the function will access
> at least one byte after the end of the "abc" literal.
>
> Fix this by checking for terminating null-byte in env_match().
>
> Signed-off-by: Marek Behún <marek.be...@nic.cz>
> ---
> Change since v1:
> - check for '\0' only after incrementing i2
> ---
> cmd/nvedit.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
Reviewed-by: Simon Glass <s...@chromium.org>
