From 078a5a0e7ca006f6536d3a72e94f49f4d52f8953 Mon Sep 17 00:00:00 2001 From: Yu-Ping Wu Date: Thu, 15 Aug 2024 10:17:38 +0800 Subject: [PATCH] commonlib/bsd/string: Fix pointer overflow for strnlen() When `maxlen` is large (such as SIZE_MAX), the `end` pointer will overflow, causing strnlen() to incorrectly return 0. To not make the implementation over-complicated, fix the problem by using a counter. BUG=b:359951393 TEST=make unit-tests -j BRANCH=none Change-Id: Ic9d983b11391f5e05c2bceb262682aced5206f94 Signed-off-by: Yu-Ping Wu Reviewed-on: https://review.coreboot.org/c/coreboot/+/83914 Reviewed-by: Julius Werner Reviewed-by: Karthik Ramasubramanian Tested-by: build bot (Jenkins) Reviewed-by: Mario Scheithauer --- src/commonlib/bsd/string.c | 10 ++++------ tests/commonlib/bsd/string-test.c | 3 +++ 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/commonlib/bsd/string.c b/src/commonlib/bsd/string.c index 16cd4b5e1d..56670e8862 100644 --- a/src/commonlib/bsd/string.c +++ b/src/commonlib/bsd/string.c @@ -15,12 +15,10 @@ size_t strlen(const char *str) size_t strnlen(const char *str, size_t maxlen) { - const char *ptr = str; - const char *end = str + maxlen + 1; - - while (*ptr++ && ptr < end) - ; - return ptr - str - 1; + size_t len = 0; + while (*str++ && len < maxlen) + len++; + return len; } char *strcat(char *dst, const char *src) diff --git a/tests/commonlib/bsd/string-test.c b/tests/commonlib/bsd/string-test.c index 37419f049d..194177abbb 100644 --- a/tests/commonlib/bsd/string-test.c +++ b/tests/commonlib/bsd/string-test.c @@ -23,6 +23,9 @@ static void test_strlen(void **state) static void test_strnlen(void **state) { + /* maxlen is SIZE_MAX */ + assert_int_equal(8, strnlen("coreboot", SIZE_MAX)); + /* maxlen larger than string len */ assert_int_equal(8, strnlen("coreboot", 100));