[PATCH v7 11/11] lib: sbi: Fix missing '\0' when buffer szie equal 1
Xiang W
wxjstz at 126.com
Wed Jul 5 06:33:33 PDT 2023
在 2023-07-05星期三的 11:14 +0530,Anup Patel写道:
> On Tue, Jul 4, 2023 at 6:43 PM Xiang W <wxjstz at 126.com> wrote:
> >
> > Fix special case: sbi_snprintf(out, out_len, ...) when out_len equal
> > 1, The previous code will not fill the buffer with any char.
>
> I don't understand why this special case is needed.
The characters are eventually filled by printc, which requires a buffergreater than 1. For buffer lengths equal to 1, no characters will be filled.
Accessing this buffer later may result in an overflow.
This bug is hard to trigger, and the compiler's static detection checks
for the minimum requirement of out_len. However, when the input parameter
is variables, the static check will fail and the bug will be triggered.
Regards,
Xiang
>
> Regards,
> Anup
>
> >
> > Signed-off-by: Xiang W <wxjstz at 126.com>
> > ---
> > lib/sbi/sbi_console.c | 4 ++++
> > 1 file changed, 4 insertions(+)
> >
> > diff --git a/lib/sbi/sbi_console.c b/lib/sbi/sbi_console.c
> > index 50af405..4f7c4ca 100644
> > --- a/lib/sbi/sbi_console.c
> > +++ b/lib/sbi/sbi_console.c
> > @@ -271,6 +271,10 @@ static int print(char **out, u32 *out_len, const char *format, va_list args)
> > out_len = &console_tbuf_len;
> > }
> >
> > + /* handle special case: *out_len == 1*/
> > + if (out)
> > + **out = '\0';
> > +
> > for (; *format != 0; ++format) {
> > width = flags = 0;
> > if (use_tbuf)
> > --
> > 2.40.1
> >
More information about the opensbi
mailing list