Replace unbounded sprintf() with snprintf() using sizeof(message)
as the bound for all prompt string assignments in
get_cfgblock_interactive(), get_cfgblock_carrier_interactive(),
do_cfgblock_carrier_create() and do_cfgblock_create(). The
previous calls had no size limit and could overflow the
CONFIG_SYS_CBSIZE-sized stack buffer if SYS_CBSIZE was configured
smaller than the longest prompt string (71 bytes).
Fixes: 8b6dc5d3943c ("toradex: tdx-cfg-block: Cleanup interactive cfg block
creation")
Signed-off-by: Ngo Luong Thanh Tra <[email protected]>
To: [email protected]
---
board/toradex/common/tdx-cfg-block.c | 21 ++++++++++++---------
1 file changed, 12 insertions(+), 9 deletions(-)
diff --git a/board/toradex/common/tdx-cfg-block.c
b/board/toradex/common/tdx-cfg-block.c
index 0fc3759695f..d75a6754c68 100644
--- a/board/toradex/common/tdx-cfg-block.c
+++ b/board/toradex/common/tdx-cfg-block.c
@@ -508,7 +508,7 @@ static int get_cfgblock_interactive(void)
toradex_modules[i].name);
}
- sprintf(message, "Enter the module ID: ");
+ snprintf(message, sizeof(message), "Enter the module ID: ");
len = cli_readline(message);
prodid = dectoul(console_buffer, NULL);
@@ -521,7 +521,8 @@ static int get_cfgblock_interactive(void)
len = 0;
while (len < 4) {
- sprintf(message, "Enter the module version (e.g. V1.1B or
V1.1#26): V");
+ snprintf(message, sizeof(message),
+ "Enter the module version (e.g. V1.1B or V1.1#26): V");
len = cli_readline(message);
}
@@ -535,7 +536,7 @@ static int get_cfgblock_interactive(void)
}
while (len < 8) {
- sprintf(message, "Enter module serial number: ");
+ snprintf(message, sizeof(message), "Enter module serial number:
");
len = cli_readline(message);
}
@@ -744,12 +745,13 @@ static int get_cfgblock_carrier_interactive(void)
toradex_carrier_boards[i].name,
toradex_carrier_boards[i].pid4);
- sprintf(message, "Choose your carrier board (provide ID): ");
+ snprintf(message, sizeof(message), "Choose your carrier board (provide
ID): ");
len = cli_readline(message);
tdx_car_hw_tag.prodid = dectoul(console_buffer, NULL);
do {
- sprintf(message, "Enter carrier board version (e.g. V1.1B or
V1.1#26): V");
+ snprintf(message, sizeof(message),
+ "Enter carrier board version (e.g. V1.1B or V1.1#26):
V");
len = cli_readline(message);
} while (len < 4);
@@ -763,7 +765,7 @@ static int get_cfgblock_carrier_interactive(void)
}
while (len < 8) {
- sprintf(message, "Enter carrier board serial number: ");
+ snprintf(message, sizeof(message), "Enter carrier board serial
number: ");
len = cli_readline(message);
}
@@ -799,7 +801,8 @@ static int do_cfgblock_carrier_create(struct cmd_tbl
*cmdtp, int flag, int argc,
if (valid_cfgblock_carrier && !force_overwrite) {
char message[CONFIG_SYS_CBSIZE];
- sprintf(message, "A valid Toradex Carrier config block is
present, still recreate? [y/N] ");
+ snprintf(message, sizeof(message),
+ "A valid Toradex Carrier config block is present,
still recreate? [y/N] ");
if (!cli_readline(message))
goto out;
@@ -907,8 +910,8 @@ static int do_cfgblock_create(struct cmd_tbl *cmdtp, int
flag, int argc,
if (!force_overwrite) {
char message[CONFIG_SYS_CBSIZE];
- sprintf(message,
- "A valid Toradex config block is present, still
recreate? [y/N] ");
+ snprintf(message, sizeof(message),
+ "A valid Toradex config block is present,
still recreate? [y/N] ");
if (!cli_readline(message))
goto out;
--
2.53.0
base-commit: c704af3c8b0f37929bce8c2a4bba27d6e89919c7
branch: fix/sys-cbsize-overflow-series
