[PATCH v5 12/14] lib: sbi: Fix timing of clearing tbuf
Xiang W
wxjstz at 126.com
Thu Jun 8 20:36:06 PDT 2023
A single scan of the format char may add multiple characters to the
tbuf, causing a buffer overflow. You should check if tbuf is full in
printc so that it does not cause a buffer overflow.
Signed-off-by: Xiang W <wxjstz at 126.com>
---
lib/sbi/sbi_console.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/lib/sbi/sbi_console.c b/lib/sbi/sbi_console.c
index c227b0f..2eefee1 100644
--- a/lib/sbi/sbi_console.c
+++ b/lib/sbi/sbi_console.c
@@ -18,6 +18,8 @@
#define PAD_ZERO 2
#define PAD_ALTERNATE 4
#define PAD_SIGN 8
+#define USED_TBUF (1 << (8 * sizeof(int) - 1))
+
#define PRINT_BUF_LEN 64
#define CONSOLE_TBUF_MAX 256
@@ -161,6 +163,11 @@ append:
info->out[info->pos++] = ch;
info->out[info->pos] = '\0';
info->pc++;
+
+ if ((info->flags & USED_TBUF) && (info->len - info->pos <= 1)) {
+ nputs_all(info->out, info->pos);
+ info->pos = 0;
+ }
}
static void prints(struct print_info *info, const char *string)
@@ -266,10 +273,9 @@ static void print(struct print_info *info, const char *format, va_list args)
}
for (; *format != 0; ++format) {
- if (use_tbuf && (info->len - info->pos <= 1)) {
- nputs_all(info->out, info->pos);
- info->pos = 0;
- }
+ info->flags = 0;
+ if (use_tbuf)
+ info->flags |= USED_TBUF;
if (*format == '%') {
++format;
if (*format == '\0')
@@ -277,7 +283,6 @@ static void print(struct print_info *info, const char *format, va_list args)
if (*format == '%')
goto literal;
/* Get flags */
- info->flags = 0;
flags_done = false;
while (!flags_done) {
switch (*format) {
--
2.39.2
More information about the opensbi
mailing list