| 修订版 | 085cbdafca9c3d7bc2f27523a343f61db82f2ccb (tree) |
|---|---|
| 时间 | 2022-07-19 00:21:49 |
| 作者 | Heinrich Schuchardt <heinrich.schuchardt@cano...> |
| Commiter | Heinrich Schuchardt |
pxe: simplify label_boot()
Coverity CID 131256 indicates a possible buffer overflow in label_boot().
This would only occur if the size of the downloaded file would exceed 4
GiB. But anyway we can simplify the code by using snprintf() and checking
the return value.
Addresses-Coverity-ID: 131256 ("Security best practices violations (STRING_OVERFLOW)")
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Ramon Fried <rfried.dev@gmail.com>
Reviewed-by: Artem Lapkin <email2tema@gmail.com>
boot/pxe_utils.c (diff)| @@ -532,11 +532,10 @@ static int label_boot(struct pxe_context *ctx, struct pxe_label *label) | ||
| 532 | 532 | } |
| 533 | 533 | |
| 534 | 534 | initrd_addr_str = env_get("ramdisk_addr_r"); |
| 535 | - strcpy(initrd_filesize, simple_xtoa(size)); | |
| 536 | - | |
| 537 | - strncpy(initrd_str, initrd_addr_str, 18); | |
| 538 | - strcat(initrd_str, ":"); | |
| 539 | - strncat(initrd_str, initrd_filesize, 9); | |
| 535 | + size = snprintf(initrd_str, sizeof(initrd_str), "%s:%lx", | |
| 536 | + initrd_addr_str, size); | |
| 537 | + if (size >= sizeof(initrd_str)) | |
| 538 | + return 1; | |
| 540 | 539 | } |
| 541 | 540 | |
| 542 | 541 | if (get_relfile_envaddr(ctx, label->kernel, "kernel_addr_r", |
Fork