diff options
author | Matt Fleming <matt.fleming@intel.com> | 2011-08-25 11:25:30 +0100 |
---|---|---|
committer | Matt Fleming <matt.fleming@intel.com> | 2011-08-25 11:32:20 +0100 |
commit | 2fbbf0fee5d9166722d518b328186256c10eca56 (patch) | |
tree | aab6278a7990a8bc2e84c19b445a744ebf741954 | |
parent | 3f3b9e4f1d784f6133e11d186fae70da8705ecf3 (diff) | |
download | efilinux-2fbbf0fee5d9166722d518b328186256c10eca56.tar.gz |
efilinux: malloc() size is too small for filename
We should be using sizeof() to figure out how large the buffer needs
to be because the buffer does not hold an array of bytes, rather it's
an array of CHAR16, which is actually 2 bytes. While I'm here cleanup
the error path so that we free() '*name' and '*cmdline' in case of
failure.
Signed-off-by: Matt Fleming <matt.fleming@intel.com>
-rw-r--r-- | entry.c | 28 |
1 files changed, 20 insertions, 8 deletions
@@ -157,9 +157,13 @@ static EFI_STATUS print_memory_map(void) static EFI_STATUS parse_args(CHAR16 *options, UINT32 size, CHAR16 **name, char **cmdline) { - CHAR16 *n, *filename = NULL; + CHAR16 *n, *o, *filename = NULL; + EFI_STATUS err; int i; + *cmdline = NULL; + *name = NULL; + if (!options || size == 0) goto fail; @@ -193,18 +197,20 @@ parse_args(CHAR16 *options, UINT32 size, CHAR16 **name, char **cmdline) } *n++ = '\0'; - *name = malloc(i + 1); - if (!*name) { + o = malloc(sizeof(*o) * (i + 1)); + if (!o) { Print(L"Unable to alloc filename memory\n"); - goto fail; + err = EFI_OUT_OF_RESOURCES; + goto out; } - *name[i--] = '\0'; + o[i--] = '\0'; - StrCpy(*name, filename); + StrCpy(o, filename); + *name = o; break; case 'l': list_boot_devices(); - goto out; + goto fail; case 'm': print_memory_map(); n++; @@ -250,9 +256,15 @@ fail: Print(L"\t-m: print memory map\n"); Print(L"\t-f <filename>: image to load\n"); Print(L"Error"); + err = EFI_INVALID_PARAMETER; + if (*cmdline) + free(*cmdline); + + if (*name) + free(*name); out: - return EFI_INVALID_PARAMETER; + return err; } /** |