boot/efi-string: check the end of haystack before testing remaining pattern

Fixes buffer-overflow reported at https://github.com/systemd/systemd/pull/23589#issuecomment-1151820341.

diff --git a/src/boot/efi/efi-string.c b/src/boot/efi/efi-string.c
index 80ef0ff076f9c5b582ac029d0b7be90b60d684ec..b9ef1548ca24494fe21ab6b1c460905a60aebc97 100644 (file)
--- a/src/boot/efi/efi-string.c
+++ b/src/boot/efi/efi-string.c
@@ -170,15 +170,11 @@ static bool efi_fnmatch_internal(const char16_t *p, const char16_t *h, int max_d
                         while (*p == '*')
                                 p++;
 
-                        do {
+                        for (; *h != '\0'; h++)
                                 /* Try matching haystack with remaining pattern. */
                                 if (efi_fnmatch_internal(p, h, max_depth - 1))
                                         return true;
 
-                                /* Otherwise, we match one char here. */
-                                h++;
-                        } while (*h != '\0');
-
                         /* End of haystack. Pattern needs to be empty too for a match. */
                         return *p == '\0';
 

diff --git a/src/boot/efi/test-efi-string.c b/src/boot/efi/test-efi-string.c
index 5aaa1f713fd43b2a5b4fcb25ecf95d3a3ec1c4fe..178ad766cb460675aff6ceb065351fc89cc77ebb 100644 (file)
--- a/src/boot/efi/test-efi-string.c
+++ b/src/boot/efi/test-efi-string.c
@@ -344,6 +344,7 @@ TEST(efi_fnmatch) {
         TEST_FNMATCH_ONE("*", "123", true);
         TEST_FNMATCH_ONE("**", "abcd", true);
         TEST_FNMATCH_ONE("*b*", "abcd", true);
+        TEST_FNMATCH_ONE("abc*d", "abc", false);
         TEST_FNMATCH_ONE("*.conf", "arch.conf", true);
         TEST_FNMATCH_ONE("debian-*.conf", "debian-wheezy.conf", true);
         TEST_FNMATCH_ONE("debian-*.*", "debian-wheezy.efi", true);