| Message ID | 20230905095914.1699335-1-konstantin.meskhidze@huawei.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | kconfig: fix possible buffer overflow | expand |
On Tue, Sep 5, 2023 at 6:59 PM Konstantin Meskhidze <konstantin.meskhidze@huawei.com> wrote: > > Buffer 'new_argv' is accessed without bound check after accessing with > bound check via 'new_argc' index. > > Fixes: e298f3b49def ("kconfig: add built-in function support") > Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com> > Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> > --- Applied to linux-kbuild. Thanks.
diff --git a/scripts/kconfig/preprocess.c b/scripts/kconfig/preprocess.c index 748da578b418..d1f5bcff4b62 100644 --- a/scripts/kconfig/preprocess.c +++ b/scripts/kconfig/preprocess.c @@ -387,24 +387,27 @@ static char *eval_clause(const char *str, size_t len, int argc, char *argv[]) if (new_argc >= FUNCTION_MAX_ARGS) pperror("too many function arguments"); new_argv[new_argc++] = prev; prev = p + 1; } else if (*p == '(') { nest++; } else if (*p == ')') { nest--; } p++; } + + if (new_argc >= FUNCTION_MAX_ARGS) + pperror("too many function arguments"); new_argv[new_argc++] = prev; /* * Shift arguments * new_argv[0] represents a function name or a variable name. Put it * into 'name', then shift the rest of the arguments. This simplifies * 'const' handling. */ name = expand_string_with_args(new_argv[0], argc, argv); new_argc--; for (i = 0; i < new_argc; i++) new_argv[i] = expand_string_with_args(new_argv[i + 1],
Buffer 'new_argv' is accessed without bound check after accessing with bound check via 'new_argc' index. Fixes: e298f3b49def ("kconfig: add built-in function support") Co-developed-by: Ivanov Mikhail <ivanov.mikhail1@huawei-partners.com> Signed-off-by: Konstantin Meskhidze <konstantin.meskhidze@huawei.com> --- scripts/kconfig/preprocess.c | 3 +++ 1 file changed, 3 insertions(+)