mail archive of the barebox mailing list
 help / color / mirror / Atom feed
* [PATCH] readkey: force return from while true
@ 2011-11-22 12:32 Jan Weitzel
  2011-11-22 20:20 ` Sascha Hauer
  0 siblings, 1 reply; 4+ messages in thread
From: Jan Weitzel @ 2011-11-22 12:32 UTC (permalink / raw)
  To: barebox

If read_key is feeded by STRG + KEY_LEFT you run into the while(1)
loop and corrupt memory through esc array.
Force return if index gets too high.

Signed-off-by: Jan Weitzel <j.weitzel@phytec.de>
---
 lib/readkey.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/lib/readkey.c b/lib/readkey.c
index a42d1cb..895db82 100644
--- a/lib/readkey.c
+++ b/lib/readkey.c
@@ -67,6 +67,8 @@ int read_key(void)
 				esc[i] = getc();
 				if (esc[i++] == '~')
 					break;
+				if (i == 5)
+					return -1;
 			}
 		}
 		esc[i] = 0;
-- 
1.7.0.4


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] readkey: force return from while true
  2011-11-22 12:32 [PATCH] readkey: force return from while true Jan Weitzel
@ 2011-11-22 20:20 ` Sascha Hauer
  2011-11-24  9:19   ` Marc Kleine-Budde
  0 siblings, 1 reply; 4+ messages in thread
From: Sascha Hauer @ 2011-11-22 20:20 UTC (permalink / raw)
  To: Jan Weitzel; +Cc: barebox

On Tue, Nov 22, 2011 at 01:32:19PM +0100, Jan Weitzel wrote:
> If read_key is feeded by STRG + KEY_LEFT you run into the while(1)
> loop and corrupt memory through esc array.
> Force return if index gets too high.
>

Wow, a shortcut to crash barebox. Applied to master.

Sascha

> Signed-off-by: Jan Weitzel <j.weitzel@phytec.de>
> ---
>  lib/readkey.c |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/lib/readkey.c b/lib/readkey.c
> index a42d1cb..895db82 100644
> --- a/lib/readkey.c
> +++ b/lib/readkey.c
> @@ -67,6 +67,8 @@ int read_key(void)
>  				esc[i] = getc();
>  				if (esc[i++] == '~')
>  					break;
> +				if (i == 5)
> +					return -1;
>  			}
>  		}
>  		esc[i] = 0;
> -- 
> 1.7.0.4
> 
> 
> _______________________________________________
> barebox mailing list
> barebox@lists.infradead.org
> http://lists.infradead.org/mailman/listinfo/barebox
> 

-- 
Pengutronix e.K.                           |                             |
Industrial Linux Solutions                 | http://www.pengutronix.de/  |
Peiner Str. 6-8, 31137 Hildesheim, Germany | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] readkey: force return from while true
  2011-11-22 20:20 ` Sascha Hauer
@ 2011-11-24  9:19   ` Marc Kleine-Budde
  2011-11-24 10:48     ` [PATCH v2] " Jan Weitzel
  0 siblings, 1 reply; 4+ messages in thread
From: Marc Kleine-Budde @ 2011-11-24  9:19 UTC (permalink / raw)
  To: Sascha Hauer; +Cc: barebox


[-- Attachment #1.1: Type: text/plain, Size: 1324 bytes --]

On 11/22/2011 09:20 PM, Sascha Hauer wrote:
> On Tue, Nov 22, 2011 at 01:32:19PM +0100, Jan Weitzel wrote:
>> If read_key is feeded by STRG + KEY_LEFT you run into the while(1)
>> loop and corrupt memory through esc array.
>> Force return if index gets too high.
>>
> 
> Wow, a shortcut to crash barebox. Applied to master.
> 
> Sascha
> 
>> Signed-off-by: Jan Weitzel <j.weitzel@phytec.de>
>> ---
>>  lib/readkey.c |    2 ++
>>  1 files changed, 2 insertions(+), 0 deletions(-)
>>
>> diff --git a/lib/readkey.c b/lib/readkey.c
>> index a42d1cb..895db82 100644
>> --- a/lib/readkey.c
>> +++ b/lib/readkey.c
>> @@ -67,6 +67,8 @@ int read_key(void)
>>  				esc[i] = getc();
>>  				if (esc[i++] == '~')
>>  					break;
>> +				if (i == 5)

ARRAY_SIZE?

>> +					return -1;
>>  			}
>>  		}
>>  		esc[i] = 0;
>> -- 
>> 1.7.0.4
>>
>>
>> _______________________________________________
>> barebox mailing list
>> barebox@lists.infradead.org
>> http://lists.infradead.org/mailman/listinfo/barebox
>>
> 

Marc

-- 
Pengutronix e.K.                  | Marc Kleine-Budde           |
Industrial Linux Solutions        | Phone: +49-231-2826-924     |
Vertretung West/Dortmund          | Fax:   +49-5121-206917-5555 |
Amtsgericht Hildesheim, HRA 2686  | http://www.pengutronix.de   |


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]

[-- Attachment #2: Type: text/plain, Size: 149 bytes --]

_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH v2] readkey: force return from while true
  2011-11-24  9:19   ` Marc Kleine-Budde
@ 2011-11-24 10:48     ` Jan Weitzel
  0 siblings, 0 replies; 4+ messages in thread
From: Jan Weitzel @ 2011-11-24 10:48 UTC (permalink / raw)
  To: barebox

If read_key is feeded by STRG + KEY_LEFT you run into the while(1)
loop and corrupt memory through esc array.
Force return if index gets too high.

Signed-off-by: Jan Weitzel <j.weitzel@phytec.de>
---
v2: use ARRAY_SIZE

 lib/readkey.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/lib/readkey.c b/lib/readkey.c
index a42d1cb..1117c30 100644
--- a/lib/readkey.c
+++ b/lib/readkey.c
@@ -67,6 +67,8 @@ int read_key(void)
 				esc[i] = getc();
 				if (esc[i++] == '~')
 					break;
+				if (i == ARRAY_SIZE(esc))
+					return -1;
 			}
 		}
 		esc[i] = 0;
-- 
1.7.0.4


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2011-11-24 10:49 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-11-22 12:32 [PATCH] readkey: force return from while true Jan Weitzel
2011-11-22 20:20 ` Sascha Hauer
2011-11-24  9:19   ` Marc Kleine-Budde
2011-11-24 10:48     ` [PATCH v2] " Jan Weitzel

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox