Date: Mon, 3 Oct 2022 23:11:32 GMT From: John Baldwin <jhb@FreeBSD.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org Subject: git: d30a1689f5b3 - main - libefivar: Fix a buffer overread. Message-ID: <202210032311.293NBWYc065857@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by jhb: URL: https://cgit.FreeBSD.org/src/commit/?id=d30a1689f5b37e78ea189232a8b94a7011dc0dc8 commit d30a1689f5b37e78ea189232a8b94a7011dc0dc8 Author: John Baldwin <jhb@FreeBSD.org> AuthorDate: 2022-10-03 23:10:44 +0000 Commit: John Baldwin <jhb@FreeBSD.org> CommitDate: 2022-10-03 23:10:44 +0000 libefivar: Fix a buffer overread. DevPathToTextUsbWWID allocates a separate copy of the SerialNumber string to append a null terminator if the original string is not null terminated. However, by using AllocateCopyPool, it tries to copy 'Length + 1' words from the existing string containing 'Length' characters into the target string. Split the copy out to only copy 'Length' characters instead. Reviewed by: imp, emaste Reported by: GCC 12 -Wstringop-overread Differential Revision: https://reviews.freebsd.org/D36826 --- lib/libefivar/efivar-dp-format.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/libefivar/efivar-dp-format.c b/lib/libefivar/efivar-dp-format.c index 9003b156f7fe..186f1cd5f103 100644 --- a/lib/libefivar/efivar-dp-format.c +++ b/lib/libefivar/efivar-dp-format.c @@ -1049,8 +1049,9 @@ DevPathToTextUsbWWID ( // // In case no NULL terminator in SerialNumber, create a new one with NULL terminator // - NewStr = AllocateCopyPool ((Length + 1) * sizeof (CHAR16), SerialNumberStr); + NewStr = AllocatePool ((Length + 1) * sizeof (CHAR16)); ASSERT (NewStr != NULL); + CopyMem (NewStr, SerialNumberStr, Length * sizeof (CHAR16)); NewStr[Length] = 0; SerialNumberStr = NewStr; }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202210032311.293NBWYc065857>