fix(fdt): fix OOB write in uuid parsing function The function read_uuid() zeroes the UUID destination buffer on error. However, it mistakenly uses the dest pointer that has been incremented many times during the parsing, leading to an out-of-bounds write. To fix this, retain a pointer to the start of the buffer, and use this when clearing it instead. Signed-off-by: David Horstmann <david.horstmann@arm.com> Change-Id: Iee8857be5d3f383ca2eab86cde99a43bf606f306

commit: 03003b01e7b3314941a938131c9e587801f027c8 [log] [tgz]
author: David Horstmann <david.horstmann@arm.com> Mon Jul 26 16:31:42 2021 +0100
committer: David Horstmann <david.horstmann@arm.com> Mon Jul 26 16:42:25 2021 +0100
tree: 8f0d28da8f47a6d58363ac5efb2888da40f1b9b6
parent: dd8af683a5f323e730aba6e08331430680926b9e [diff] [blame]
diff --git a/common/uuid.c b/common/uuid.c
index dd3c7b0..ac6db50 100644
--- a/common/uuid.c
+++ b/common/uuid.c

@@ -73,6 +73,7 @@
 int read_uuid(uint8_t *dest, char *uuid)
 {
 	int err;
+	uint8_t *dest_start = dest;
 
 	/* Check that we have enough characters */
 	if (strnlen(uuid, UUID_STRING_LENGTH) != UUID_STRING_LENGTH) {
@@ -124,7 +125,7 @@
 	if (err < 0) {
 		WARN("Error parsing UUID\n");
 		/* Clear the buffer on error */
-		memset((void *)dest, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
+		memset((void *)dest_start, '\0', UUID_BYTES_LENGTH * sizeof(uint8_t));
 		return -EINVAL;
 	}
commit	03003b01e7b3314941a938131c9e587801f027c8	[log] [tgz]
author	David Horstmann <david.horstmann@arm.com>	Mon Jul 26 16:31:42 2021 +0100
committer	David Horstmann <david.horstmann@arm.com>	Mon Jul 26 16:42:25 2021 +0100
tree	8f0d28da8f47a6d58363ac5efb2888da40f1b9b6
parent	dd8af683a5f323e730aba6e08331430680926b9e [diff] [blame]