git: d30a1689f5b3 - main - libefivar: Fix a buffer overread.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 03 Oct 2022 23:11:32 UTC
The branch main has been updated by jhb:
URL: https://cgit.FreeBSD.org/src/commit/?id=d30a1689f5b37e78ea189232a8b94a7011dc0dc8
commit d30a1689f5b37e78ea189232a8b94a7011dc0dc8
Author: John Baldwin <jhb@FreeBSD.org>
AuthorDate: 2022-10-03 23:10:44 +0000
Commit: John Baldwin <jhb@FreeBSD.org>
CommitDate: 2022-10-03 23:10:44 +0000
libefivar: Fix a buffer overread.
DevPathToTextUsbWWID allocates a separate copy of the SerialNumber
string to append a null terminator if the original string is not
null terminated. However, by using AllocateCopyPool, it tries to
copy 'Length + 1' words from the existing string containing 'Length'
characters into the target string. Split the copy out to only
copy 'Length' characters instead.
Reviewed by: imp, emaste
Reported by: GCC 12 -Wstringop-overread
Differential Revision: https://reviews.freebsd.org/D36826
---
lib/libefivar/efivar-dp-format.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/lib/libefivar/efivar-dp-format.c b/lib/libefivar/efivar-dp-format.c
index 9003b156f7fe..186f1cd5f103 100644
--- a/lib/libefivar/efivar-dp-format.c
+++ b/lib/libefivar/efivar-dp-format.c
@@ -1049,8 +1049,9 @@ DevPathToTextUsbWWID (
//
// In case no NULL terminator in SerialNumber, create a new one with NULL terminator
//
- NewStr = AllocateCopyPool ((Length + 1) * sizeof (CHAR16), SerialNumberStr);
+ NewStr = AllocatePool ((Length + 1) * sizeof (CHAR16));
ASSERT (NewStr != NULL);
+ CopyMem (NewStr, SerialNumberStr, Length * sizeof (CHAR16));
NewStr[Length] = 0;
SerialNumberStr = NewStr;
}