summaryrefslogtreecommitdiff
path: root/arch/sandbox
diff options
context:
space:
mode:
authorChristian Marangi <ansuelsmth@gmail.com>2025-06-29 15:21:18 +0200
committerTom Rini <trini@konsulko.com>2025-07-08 18:15:20 -0600
commit0ffd456516b5f0c126c9705d6b2368a45ee2353f (patch)
tree6de66e3c34cc67faec23fa60e8fcc2e0c0c30c82 /arch/sandbox
parent1930a7df10b18f0f4b67d868632896233dded981 (diff)
env: Fix possible out-of-bound access in env_do_env_set
It was discovered that env_do_env_set() currently suffer from a long time of a possible out-of-bound access for the argv array handling. The BUG is present in the function env_do_env_set() line: name = argv[1]; where the function at this point assume the argv at index 1 is always present and can't be NULL. Aside from the fact that it's always better to validate argv entry with the argc variable, situation where the argv[1] is NULL is actually possible and not an error condition. A example of where an out-of-bound access is triggered is with the command "askenv - Press ENTER to ...". This is a common pattern for bootmenu entry to ask the user input after a bootmenu command succeeded. In the context of such command, the while loop before "name = argv[1];" parse the "-" char as an option arg and increment the argv pointer by one (to make the rest of the logic code ignore the option argv) and decrement argc value. The while loop logic is correct but at the "name = argv[1];" line, the argv have only one element left (the "-" char) and accessing argv[1] (aka the secong element from argv pointer) cause an out-of-bound access (making the bootloader eventually crash with strchr searching in invalid data) To better handle this and prevent the out-of-bound access, actually check the argv entry left (with the use of the argc variable) and exit early before doing any kind of array access. Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Diffstat (limited to 'arch/sandbox')
0 files changed, 0 insertions, 0 deletions