OrgZephyr/mcuboot
OrgZephyr
/
mcuboot
mirror of https://github.com/zephyrproject-rtos/mcuboot.git
1
0
Fork 0
Code Issues Releases Wiki Activity

boot_serial: Fix buffer overflow in boot_serial_out 

The buf buffer set to collect total console payload consisting
of total size (two bytes), SMP header (eigth bytes), data payload
(bs_obuf, BOOT_SERIAL_OUT_MAX) and CRC (two bytes), pior to base64
encoding has been set to size of BOOT_SERIAL_OUT_MAX.
This means that if output data len, in bs_obuf, would be longer than
BOOT_SERIAL_OUT_MAX - 8 - 2 - 2, then composing of the output buffer
would overflow.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>
This commit is contained in:
Dominik Ermel 2022-03-03 17:09:07 +00:00 committed by Andrzej Puzdrowski
parent c657cbea75
commit 5ff8958117
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
boot/boot_serial/src/boot_serial.c
View File

@ -614,8 +614,8 @@ boot_serial_output(void)
uint16_t crc; uint16_t crc;
uint16_t totlen; uint16_t totlen;
char pkt_start[2] = { SHELL_NLIP_PKT_START1, SHELL_NLIP_PKT_START2 }; char pkt_start[2] = { SHELL_NLIP_PKT_START1, SHELL_NLIP_PKT_START2 };
char buf[BOOT_SERIAL_OUT_MAX]; char buf[BOOT_SERIAL_OUT_MAX + sizeof(*bs_hdr) + sizeof(crc) + sizeof(totlen)];
char encoded_buf[BASE64_ENCODE_SIZE(BOOT_SERIAL_OUT_MAX)]; char encoded_buf[BASE64_ENCODE_SIZE(sizeof(buf))];
data = bs_obuf; data = bs_obuf;
len = (uint32_t)cbor_state.payload_mut - (uint32_t)bs_obuf; len = (uint32_t)cbor_state.payload_mut - (uint32_t)bs_obuf;