From: Christian Storm <[email protected]> Read() returns the number of *bytes* read and this is verbatim used to index the CHAR16 buffer without accomodation to CHAR16, resulting in a wrong string termination position and potentially an out-of-bounds write if the read input is sufficiently long. Fix it by accomodating the bytes read to CHAR16.
Signed-off-by: Christian Storm <[email protected]> --- utils.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/utils.c b/utils.c index 78a149a..6238c8b 100644 --- a/utils.c +++ b/utils.c @@ -95,7 +95,7 @@ CHAR16 *get_volume_custom_label(EFI_FILE_HANDLE fh) if (status != EFI_SUCCESS) { return NULL; } - buffer[buffsize] = L'\0'; + buffer[buffsize/sizeof(CHAR16)] = L'\0'; (VOID)uefi_call_wrapper(fh->Close, 1, tmp); return buffer; } -- 2.32.0 -- You received this message because you are subscribed to the Google Groups "EFI Boot Guard" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/efibootguard-dev/20210817090209.16178-1-christian.storm%40siemens.com.
