In do_bootvx the environment variable 'bootdev' is fetched and copied
into a buffer without confirming that it will not overflow that buffer.
Use strlcpy to ensure that the buffer will not be overflowed.
This issue was found by Smatch.
Signed-off-by: Andrew Goodbody <andrew.goodb...@linaro.org>
---
cmd/elf.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/cmd/elf.c b/cmd/elf.c
index 5e0ee30a7c8..53ec193aaa6 100644
--- a/cmd/elf.c
+++ b/cmd/elf.c
@@ -21,6 +21,8 @@
#include <linux/linkage.h>
#endif
+#define BOOTLINE_BUF_LEN 128
+
/* Interpreter command to boot an arbitrary ELF image from memory */
int do_bootelf(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[])
{
@@ -114,7 +116,7 @@ int do_bootvx(struct cmd_tbl *cmdtp, int flag, int argc,
char *const argv[])
unsigned long bootaddr = 0; /* Address to put the bootline */
char *bootline; /* Text of the bootline */
char *tmp; /* Temporary char pointer */
- char build_buf[128]; /* Buffer for building the bootline */
+ char build_buf[BOOTLINE_BUF_LEN]; /* Buffer for building the bootline */
int ptr = 0;
#ifdef CONFIG_X86
ulong base;
@@ -226,7 +228,7 @@ int do_bootvx(struct cmd_tbl *cmdtp, int flag, int argc,
char *const argv[])
if (!bootline) {
tmp = env_get("bootdev");
if (tmp) {
- strcpy(build_buf, tmp);
+ strlcpy(build_buf, tmp, BOOTLINE_BUF_LEN);
ptr = strlen(tmp);
} else {
printf("## VxWorks boot device not specified\n");
---
base-commit: bd0ade7d090a334b3986936d63a34001d99722ad
change-id: 20250721-elfboot-0eac16932467
Best regards,
--
Andrew Goodbody <andrew.goodb...@linaro.org>
