aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDavid Horstmann <david.horstmann@arm.com>2021-07-26 16:31:42 +0100
committerDavid Horstmann <david.horstmann@arm.com>2021-07-26 16:42:25 +0100
commitd0d642450f1f3a0f43e0e156ef57a0c460dd48cf (patch)
tree8f0d28da8f47a6d58363ac5efb2888da40f1b9b6
parentf98c0bea9c31630fce4895b8ae2fc50e399fe9ec (diff)
downloadtrusted-firmware-a-d0d642450f1f3a0f43e0e156ef57a0c460dd48cf.tar.gz
fix(fdt): fix OOB write in uuid parsing function
The function read_uuid() zeroes the UUID destination buffer on error. However, it mistakenly uses the dest pointer that has been incremented many times during the parsing, leading to an out-of-bounds write. To fix this, retain a pointer to the start of the buffer, and use this when clearing it instead. Signed-off-by: David Horstmann <david.horstmann@arm.com> Change-Id: Iee8857be5d3f383ca2eab86cde99a43bf606f306
-rw-r--r--common/uuid.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/common/uuid.c b/common/uuid.c
index dd3c7b02f5..ac6db50a08 100644
--- a/common/uuid.c
+++ b/common/uuid.c
@@ -73,6 +73,7 @@ static int read_hex(uint8_t *dest, char *hex_src, unsigned int hex_src_len)
int read_uuid(uint8_t *dest, char *uuid)
{
int err;
+ uint8_t *dest_start = dest;
/* Check that we have enough characters */
if (strnlen(uuid, UUID_STRING_LENGTH) != UUID_STRING_LENGTH) {
@@ -124,7 +125,7 @@ int read_uuid(uint8_t *dest, char *uuid)
if (err < 0) {
WARN("Error parsing UUID\n");
/* Clear the buffer on error */
- memset((void *)dest, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
+ memset((void *)dest_start, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
return -EINVAL;
}