Gitiles
Code Review Sign In
review.blissroms.org / platform_system_core_old / 3967f81b561cb989ee957aa7e3996e543e20d524^! / .
commit3967f81b561cb989ee957aa7e3996e543e20d524[log] [tgz]
authornks <nks@sixserv.org>Sat Apr 12 18:52:27 2014 +0200
committerColin Cross <ccross@android.com>Sun Apr 13 10:45:30 2014 -0700
treedf452007e85646e8648bf772ba012bd9a12a2e7b
parent835526fdc035cad6d712a7098d0eae37b3995d2c [diff]
Fix buffer overflow in syren utility

Patch for https://code.google.com/p/android/issues/detail?id=68268

A length check for the argv[2] was added in order to prevent buffer
overflow.  Also replace strcpy with strlcpy.

Signed-off-by: nks <nks@sixserv.org>
Change-Id: If65b83e9b658315c672e684f64e3ae00e69fac31

diff --git a/toolbox/syren.c b/toolbox/syren.c
index 06e329e..47c2460 100644
--- a/toolbox/syren.c
+++ b/toolbox/syren.c

@@ -123,7 +123,11 @@
 
 	r = find_reg(argv[2]);
 	if (r == NULL) {
-		strcpy(name, argv[2]);
+		if(strlen(argv[2]) >= sizeof(name)){
+			fprintf(stderr, "REGNAME too long\n");
+			return 0;
+		}
+		strlcpy(name, argv[2], sizeof(name));
 		char *addr_str = strchr(argv[2], ':');
 		if (addr_str == NULL)
 			return usage();
@@ -131,7 +135,7 @@
 		sio.page = strtoul(argv[2], 0, 0);
 		sio.addr = strtoul(addr_str, 0, 0);
 	} else {
-		strcpy(name, r->name);
+		strlcpy(name, r->name, sizeof(name));
 		sio.page = r->page;
 		sio.addr = r->addr;
 	}