commit 5ff895811741f31b8af5f572896c991255655802
author Dominik Ermel <dominik.ermel@nordicsemi.no> Thu Mar 03 17:09:07 2022 +0000
committer Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> Mon Mar 07 10:18:50 2022 +0100
tree 8e87d8b6f7d3b8ef96ce1b0bde84735f4a56469d
parent c657cbea75f2bb1faf1fceacf972a0537a8d26dd

boot_serial: Fix buffer overflow in boot_serial_out

The buf buffer set to collect total console payload consisting
of total size (two bytes), SMP header (eigth bytes), data payload
(bs_obuf, BOOT_SERIAL_OUT_MAX) and CRC (two bytes), pior to base64
encoding has been set to size of BOOT_SERIAL_OUT_MAX.
This means that if output data len, in bs_obuf, would be longer than
BOOT_SERIAL_OUT_MAX - 8 - 2 - 2, then composing of the output buffer
would overflow.

Signed-off-by: Dominik Ermel <dominik.ermel@nordicsemi.no>

boot/boot_serial/src/boot_serial.c

diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c
index ec068fc..79b0f0e 100644
--- a/boot/boot_serial/src/boot_serial.c
+++ b/boot/boot_serial/src/boot_serial.c
@@ -614,8 +614,8 @@
     uint16_t crc;
     uint16_t totlen;
     char pkt_start[2] = { SHELL_NLIP_PKT_START1, SHELL_NLIP_PKT_START2 };
-    char buf[BOOT_SERIAL_OUT_MAX];
-    char encoded_buf[BASE64_ENCODE_SIZE(BOOT_SERIAL_OUT_MAX)];
+    char buf[BOOT_SERIAL_OUT_MAX + sizeof(*bs_hdr) + sizeof(crc) + sizeof(totlen)];
+    char encoded_buf[BASE64_ENCODE_SIZE(sizeof(buf))];
 
     data = bs_obuf;
     len = (uint32_t)cbor_state.payload_mut - (uint32_t)bs_obuf;