Skip to content

shell: utils: Fix buffer overrun in shell_spaces_trim #23304

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 6, 2020
Merged

shell: utils: Fix buffer overrun in shell_spaces_trim #23304

merged 1 commit into from
Mar 6, 2020

Conversation

ceolin
Copy link
Member

@ceolin ceolin commented Mar 5, 2020

The third argument in memmove can possible be greater than remaining
buffer size. Just ensuring that memmove will changes bytes only inside
the string buffer and nothing else.

Signed-off-by: Flavio Ceolin [email protected]

shell: utils: Fix buffer overrun in shell_spaces_trim
1c181ae 
The third argument in memmove can possible be greater than remaining
buffer size. Just ensuring that memmove will changes bytes only inside
the string buffer and nothing else.

Signed-off-by: Flavio Ceolin <[email protected]>
@ceolin ceolin requested review from d3zd3z and jhedberg March 5, 2020 19:41
@ceolin ceolin added area: Shell Shell subsystem priority: high High impact/importance bug labels Mar 5, 2020
@ceolin ceolin added this to the v2.2.0 milestone Mar 5, 2020
@jhedberg jhedberg added the bug The issue is a bug, or the PR is fixing a bug label Mar 5, 2020
@jakub-uC
Copy link
Contributor

jakub-uC commented Mar 5, 2020

May you please elaborate on how this can happen? Any example?

@jhedberg
Copy link
Member

jhedberg commented Mar 5, 2020

I'll wait for a review from a shell subsystem maintainer before merging

jakub-uC
jakub-uC reviewed Mar 5, 2020
View reviewed changes
Copy link
Contributor

@jakub-uC jakub-uC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As mentioned before. Please let me know what is the scenario to overrun the buffer?

@ceolin
Copy link
Member Author

ceolin commented Mar 5, 2020

As mentioned before. Please let me know what is the scenario to overrun the buffer?

Consider a long string which ends with two spaces followed by a non-space character. When the function calls memmove, the first and second arguments would point near the end of the string, while shift would be equal to 2. The third argument then ends up equal to the length of the string minus 3, which when added to either pointer results in a address that is located outside of the string buffer.

@nordic-krch
Copy link
Contributor

@ceolin didn't want to push directly to your branch but i wrote the test to confirm the bug. Feel free to cherry-pick it into that PR: nordic-krch@abe8b15

jakub-uC
jakub-uC approved these changes Mar 6, 2020
View reviewed changes
Copy link
Contributor

@jakub-uC jakub-uC left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ceolin thank you :)

@jhedberg jhedberg merged commit a2872c3 into zephyrproject-rtos:master Mar 6, 2020
This was referenced Mar 20, 2020
Merged
Merged
@ceolin ceolin deleted the shell branch July 17, 2023 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jhedberg jhedberg jhedberg approved these changes

@carlescufi carlescufi carlescufi approved these changes

@nordic-krch nordic-krch nordic-krch approved these changes

@jakub-uC jakub-uC jakub-uC approved these changes

@d3zd3z d3zd3z Awaiting requested review from d3zd3z

Assignees
No one assigned
Labels
area: Shell Shell subsystem bug The issue is a bug, or the PR is fixing a bug priority: high High impact/importance bug
Projects
None yet
Milestone
v2.2.0
Development

Successfully merging this pull request may close these issues.
5 participants
@ceolin @jakub-uC @jhedberg @nordic-krch @carlescufi