[PATCH 1/2] readline: Fix potential buffer overflow

[PATCH 1/2] readline: Fix potential buffer overflow

[Sascha Hauer]

cread_add_char doesn't take the trailing '\0' into account, so adding
it at the end of readline can overflow the buffer.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 lib/readline.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/readline.c b/lib/readline.c
index c007e10..4c9bb76 100644
--- a/lib/readline.c
+++ b/lib/readline.c
@@ -150,7 +150,7 @@ static void cread_add_char(char ichar, int insert, unsigned long *num,
 
 	/* room ??? */
 	if (insert || *num == *eol_num) {
-		if (*eol_num > len - 1) {
+		if (*eol_num > len - 2) {
 			getcmd_cbeep();
 			return;
 		}
-- 
2.6.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox

[PATCH 2/2] readline: Fix potential buffer overflow in command history

[Sascha Hauer]

Cursor up copies the last line into the buffer without checking if it
fits into the current buffer. Fix this using safe_strncpy.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 lib/readline.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/readline.c b/lib/readline.c
index 4c9bb76..cac9670 100644
--- a/lib/readline.c
+++ b/lib/readline.c
@@ -1,6 +1,7 @@
 #include <common.h>
 #include <readkey.h>
 #include <init.h>
+#include <libbb.h>
 #include <xfuncs.h>
 #include <complete.h>
 #include <linux/ctype.h>
@@ -321,7 +322,7 @@ int readline(const char *prompt, char *buf, int len)
 			ERASE_TO_EOL();
 
 			/* copy new line into place and display */
-			strcpy(buf, hline);
+			safe_strncpy(buf, hline, len);
 			eol_num = strlen(buf);
 			REFRESH_TO_EOL();
 			continue;
-- 
2.6.2


_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox