Fix buffer overflow in syren utility

Patch for https://code.google.com/p/android/issues/detail?id=68268 A length check for the argv[2] was added in order to prevent buffer overflow. Also replace strcpy with strlcpy. Signed-off-by: nks <nks@sixserv.org> Change-Id: If65b83e9b658315c672e684f64e3ae00e69fac31
author: nks <nks@sixserv.org> 2014-04-12 18:52:27 +0200
committer: Colin Cross <ccross@android.com> 2014-04-13 10:45:30 -0700
commit: 3967f81b561cb989ee957aa7e3996e543e20d524 (patch)
tree: df452007e85646e8648bf772ba012bd9a12a2e7b /toolbox
parent: 835526fdc035cad6d712a7098d0eae37b3995d2c (diff)
download: system_core-3967f81b561cb989ee957aa7e3996e543e20d524.zip
system_core-3967f81b561cb989ee957aa7e3996e543e20d524.tar.gz
system_core-3967f81b561cb989ee957aa7e3996e543e20d524.tar.bz2
1 files changed, 6 insertions, 2 deletions
diff --git a/toolbox/syren.c b/toolbox/syren.c
index 06e329e..47c2460 100644
--- a/toolbox/syren.c
+++ b/toolbox/syren.c
@@ -123,7 +123,11 @@ syren_main(int argc, char **argv)
 
 	r = find_reg(argv[2]);
 	if (r == NULL) {
-		strcpy(name, argv[2]);
+		if(strlen(argv[2]) >= sizeof(name)){
+			fprintf(stderr, "REGNAME too long\n");
+			return 0;
+		}
+		strlcpy(name, argv[2], sizeof(name));
 		char *addr_str = strchr(argv[2], ':');
 		if (addr_str == NULL)
 			return usage();
@@ -131,7 +135,7 @@ syren_main(int argc, char **argv)
 		sio.page = strtoul(argv[2], 0, 0);
 		sio.addr = strtoul(addr_str, 0, 0);
 	} else {
-		strcpy(name, r->name);
+		strlcpy(name, r->name, sizeof(name));
 		sio.page = r->page;
 		sio.addr = r->addr;
 	}
author	nks <nks@sixserv.org>	2014-04-12 18:52:27 +0200
committer	Colin Cross <ccross@android.com>	2014-04-13 10:45:30 -0700
commit	3967f81b561cb989ee957aa7e3996e543e20d524 (patch)
tree	df452007e85646e8648bf772ba012bd9a12a2e7b /toolbox
parent	835526fdc035cad6d712a7098d0eae37b3995d2c (diff)
download	system_core-3967f81b561cb989ee957aa7e3996e543e20d524.zip system_core-3967f81b561cb989ee957aa7e3996e543e20d524.tar.gz system_core-3967f81b561cb989ee957aa7e3996e543e20d524.tar.bz2