From 6da11cc81ea773d9a1e3059da311c6f2e2aeb6ef Mon Sep 17 00:00:00 2001 From: Heinrich Schuchardt Date: Fri, 29 Sep 2023 02:47:17 +0200 Subject: stdio: fix stdio_deregister_dev() When copying the name of a stdio device we must ensure that it is NUL terminated before passing it to strcmp() to avoid a buffer overrun. Truncating the name field leads to failure to deregister a stdio device. When copying we must ensure that the name field sizes match. Addresses-Coverity-ID: 350462 String not null terminated Fixes: 5294e97832a6 ("stdio: extend "name" to 32 symbols") Signed-off-by: Heinrich Schuchardt Reviewed-by: Simon Glass --- common/stdio.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'common/stdio.c') diff --git a/common/stdio.c b/common/stdio.c index 010bf576af0..e3354f092dc 100644 --- a/common/stdio.c +++ b/common/stdio.c @@ -259,7 +259,7 @@ int stdio_register(struct stdio_dev *dev) int stdio_deregister_dev(struct stdio_dev *dev, int force) { struct list_head *pos; - char temp_names[3][16]; + char temp_names[3][STDIO_NAME_LEN]; int i; /* get stdio devices (ListRemoveItem changes the dev list) */ @@ -272,8 +272,8 @@ int stdio_deregister_dev(struct stdio_dev *dev, int force) /* Device is assigned -> report error */ return -EBUSY; } - memcpy(&temp_names[i][0], stdio_devices[i]->name, - sizeof(temp_names[i])); + strlcpy(&temp_names[i][0], stdio_devices[i]->name, + sizeof(temp_names[i])); } list_del(&dev->list); -- cgit v1.3.1