From b83f865e75aecf7edbc75c3794b3e29ef5bff5a2 Mon Sep 17 00:00:00 2001 From: Andrew Goodbody Date: Mon, 21 Jul 2025 15:43:36 +0100 Subject: [PATCH] cmd: elf: Prevent possible buffer overflow In do_bootvx the environment variable 'bootdev' is fetched and copied into a buffer without confirming that it will not overflow that buffer. Use strlcpy to ensure that the buffer will not be overflowed. This issue was found by Smatch. Signed-off-by: Andrew Goodbody --- cmd/elf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/cmd/elf.c b/cmd/elf.c index 5e0ee30a7c8..53ec193aaa6 100644 --- a/cmd/elf.c +++ b/cmd/elf.c @@ -21,6 +21,8 @@ #include #endif +#define BOOTLINE_BUF_LEN 128 + /* Interpreter command to boot an arbitrary ELF image from memory */ int do_bootelf(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) { @@ -114,7 +116,7 @@ int do_bootvx(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) unsigned long bootaddr = 0; /* Address to put the bootline */ char *bootline; /* Text of the bootline */ char *tmp; /* Temporary char pointer */ - char build_buf[128]; /* Buffer for building the bootline */ + char build_buf[BOOTLINE_BUF_LEN]; /* Buffer for building the bootline */ int ptr = 0; #ifdef CONFIG_X86 ulong base; @@ -226,7 +228,7 @@ int do_bootvx(struct cmd_tbl *cmdtp, int flag, int argc, char *const argv[]) if (!bootline) { tmp = env_get("bootdev"); if (tmp) { - strcpy(build_buf, tmp); + strlcpy(build_buf, tmp, BOOTLINE_BUF_LEN); ptr = strlen(tmp); } else { printf("## VxWorks boot device not specified\n"); -- 2.47.2