diff options
| author | Zheng Bao <fishbaozi@gmail.com> | 2021-05-27 11:11:34 +0800 |
|---|---|---|
| committer | Felix Held <felix-coreboot@felixheld.de> | 2021-08-31 15:05:48 +0000 |
| commit | dac446165eab07216428fc660b3fd28603803f0f (patch) | |
| tree | 6e5f80de298a0846bee48c358524ddea7e6ce8cb /util | |
| parent | fd2982ec8a61894d466efc47a9d724a93af6ddc6 (diff) | |
| download | coreboot-dac446165eab07216428fc660b3fd28603803f0f.tar.gz coreboot-dac446165eab07216428fc660b3fd28603803f0f.tar.bz2 coreboot-dac446165eab07216428fc660b3fd28603803f0f.zip | |
amdfwtool: Copy string in a safer way
The issue is reported by Coverity. Using strcpy or strcat copying
string without checking length may cause overflow.
BUG=b:188769921
Reported-by: Coverity (CID:1438964)
Change-Id: I609d9ce405d01c57b1847a6310630ea0341e13be
Signed-off-by: Zheng Bao <fishbaozi@gmail.com>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/54946
Reviewed-by: Felix Held <felix-coreboot@felixheld.de>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Diffstat (limited to 'util')
| -rw-r--r-- | util/amdfwtool/data_parse.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/util/amdfwtool/data_parse.c b/util/amdfwtool/data_parse.c index 6b773e04c3fe..026480f64d7c 100644 --- a/util/amdfwtool/data_parse.c +++ b/util/amdfwtool/data_parse.c @@ -5,6 +5,7 @@ #include <string.h> #include <stdlib.h> #include <stdint.h> +#include <assert.h> #include "amdfwtool.h" @@ -410,6 +411,7 @@ uint8_t process_config(FILE *config, amd_cb_config *cb_config, uint8_t print_dep char oneline[MAX_LINE_SIZE], *path_filename; regmatch_t match[N_MATCHES]; char dir[MAX_LINE_SIZE] = {'\0'}; + uint32_t dir_len; compile_reg_expr(REG_EXTENDED | REG_NEWLINE, blank_or_comment_regex, &blank_or_comment_expr); @@ -424,7 +426,10 @@ uint8_t process_config(FILE *config, amd_cb_config *cb_config, uint8_t print_dep continue; if (is_valid_entry(oneline, match)) { if (strcmp(&(oneline[match[1].rm_so]), "FIRMWARE_LOCATION") == 0) { - strcpy(dir, &(oneline[match[2].rm_so])); + dir_len = match[2].rm_eo - match[2].rm_so; + assert(dir_len < MAX_LINE_SIZE); + snprintf(dir, MAX_LINE_SIZE, "%.*s", dir_len, + &(oneline[match[2].rm_so])); break; } } @@ -445,10 +450,10 @@ uint8_t process_config(FILE *config, amd_cb_config *cb_config, uint8_t print_dep if (strcmp(&(oneline[match[1].rm_so]), "FIRMWARE_LOCATION") == 0) { continue; } else { - path_filename = malloc(MAX_LINE_SIZE); - strcpy(path_filename, dir); - strcat(path_filename, "/"); - strcat(path_filename, &(oneline[match[2].rm_so])); + path_filename = malloc(MAX_LINE_SIZE * 2 + 2); + snprintf(path_filename, MAX_LINE_SIZE * 2 + 2, "%.*s/%.*s", + MAX_LINE_SIZE, dir, MAX_LINE_SIZE, + &(oneline[match[2].rm_so])); if (find_register_fw_filename_psp_dir( &(oneline[match[1].rm_so]), |