diff options
| author | Heinrich Schuchardt | 2023-05-02 04:34:09 +0200 |
|---|---|---|
| committer | Tom Rini | 2023-05-31 17:23:01 -0400 |
| commit | 7bae13da36477ce451ef5975e0cf79dbe035b52c (patch) | |
| tree | 8d2cf90e7e8af689f178237f068fcee64f274f28 | |
| parent | 1310ad3aacf5cae97a2f3457ec9ef56f0d88bc09 (diff) | |
cli: avoid buffer overrun
Invoking the sandbox with
/u-boot -c ⧵0xef⧵0xbf⧵0xbd
results in a segmentation fault.
Function b_getch() retrieves a character from the input stream. This
character may be > 0x7f. If type char is signed, static_get() will
return a negative number and in parse_stream() we will use that
negative number as an index for array map[] resulting in a buffer
overflow.
Reported-by: Harry Lockyer <harry_lockyer@tutanota.com>
Signed-off-by: Heinrich Schuchardt <heinrich.schuchardt@canonical.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
| -rw-r--r-- | common/cli_hush.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/common/cli_hush.c b/common/cli_hush.c index 171069f5f49..cee87249bc2 100644 --- a/common/cli_hush.c +++ b/common/cli_hush.c @@ -324,7 +324,7 @@ typedef struct { /* I can almost use ordinary FILE *. Is open_memstream() universally * available? Where is it documented? */ struct in_str { - const char *p; + const unsigned char *p; #ifndef __U_BOOT__ char peek_buf[2]; #endif |