]> git.sur5r.net Git - u-boot/commitdiff
hush shell: Avoid string write overflow when entering max cmd length
authorKristian Otnes <kotnes@cisco.com>
Fri, 25 Apr 2014 13:35:43 +0000 (15:35 +0200)
committerTom Rini <trini@ti.com>
Mon, 12 May 2014 19:20:05 +0000 (15:20 -0400)
console_buffer array is defined to be CONFIG_SYS_CBSIZE + 1 long,
whereas the_command array only CONFIG_SYS_CBSIZE long. Subsequent
use of strcpy(the_command, console_buffer) will write final \0
terminating byte outside the_command array when entering a command
of max length.

Signed-off-by: Kristian Otnes <kotnes <at> cisco <dot> com>
common/hush.c

index df10267d644257476fdcad5b22ec1f5d3246cdc6..5b432247599fc521cc184d7ca0b81c8109ee4f8e 100644 (file)
@@ -996,7 +996,7 @@ static void get_user_input(struct in_str *i)
        i->p = the_command;
 #else
        int n;
-       static char the_command[CONFIG_SYS_CBSIZE];
+       static char the_command[CONFIG_SYS_CBSIZE + 1];
 
 #ifdef CONFIG_BOOT_RETRY_TIME
 #  ifndef CONFIG_RESET_TO_RETRY