term: Fix overflow on user inputs
This requires a very weird input from the serial interface but can cause an overflow in input_buf (keys) overwriting the next variable (npending) with the user choice: (pahole output) struct grub_terminfo_input_state { int input_buf[6]; /* 0 24 */ int npending; /* 24 4 */ <- CORRUPT ...snip... The magic string requires causing this is "ESC,O,],0,1,2,q" and we overflow npending with "q" (aka increase npending to 161). The simplest fix is to just to disallow overwrites input_buf, which exactly what this patch does. Fixes: CID 292449 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
parent
16c0dbf4bc
commit
61b7ca08d1
1 changed files with 6 additions and 3 deletions
|
@ -398,7 +398,7 @@ grub_terminfo_getwh (struct grub_term_output *term)
|
|||
}
|
||||
|
||||
static void
|
||||
grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len,
|
||||
grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len, int max_len,
|
||||
int (*readkey) (struct grub_term_input *term))
|
||||
{
|
||||
int c;
|
||||
|
@ -414,6 +414,9 @@ grub_terminfo_readkey (struct grub_term_input *term, int *keys, int *len,
|
|||
if (c == -1) \
|
||||
return; \
|
||||
\
|
||||
if (*len >= max_len) \
|
||||
return; \
|
||||
\
|
||||
keys[*len] = c; \
|
||||
(*len)++; \
|
||||
}
|
||||
|
@ -602,8 +605,8 @@ grub_terminfo_getkey (struct grub_term_input *termi)
|
|||
return ret;
|
||||
}
|
||||
|
||||
grub_terminfo_readkey (termi, data->input_buf,
|
||||
&data->npending, data->readkey);
|
||||
grub_terminfo_readkey (termi, data->input_buf, &data->npending,
|
||||
GRUB_TERMINFO_READKEY_MAX_LEN, data->readkey);
|
||||
|
||||
#if defined(__powerpc__) && defined(GRUB_MACHINE_IEEE1275)
|
||||
if (data->npending == 1 && data->input_buf[0] == GRUB_TERM_ESC
|
||||
|
|
Loading…
Reference in a new issue