diff options
authorCarl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>2016-03-13 17:36:49 +0000
committerCarl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net>2016-03-13 17:36:49 +0000
commita76713a6e8a39fc845386d14e696fd12248d7688 (patch)
parentbebf86b63c4d32b69d22fbad63fb989cfb017eef (diff)
Fix fscanf format string security bug in layout.c
An internal security audit of the flashrom project by Carl-Daniel Hailfinger found a buffer overflow bug present in all flashrom versions since the year 2005. This bug was independently found and reported to flashrom.org by Cosmin Gorgovan a few days ago. A buffer on the stack and a buffer on the heap are affected by the overflow caused by an incorrect fscanf format string. The buffer overflow can only be triggered if the optional layout feature is used and if the user manually specifies a specially crafted layout file on the command line. Command line parsing and flash image handling do not trigger the buggy code path. Most usage of flashrom does not involve layout files. The fix in this commit (changed fscanf format string) can be applied to layout.c of all past flashrom versions. Corresponding to flashrom svn r1953. Signed-off-by: Carl-Daniel Hailfinger <c-d.hailfinger.devel.2006@gmx.net> Acked-by: Stefan Tauner <stefan.tauner@alumni.tuwien.ac.at>
1 files changed, 1 insertions, 1 deletions
diff --git a/layout.c b/layout.c
index d039451..f71eeaa 100644
--- a/layout.c
+++ b/layout.c
@@ -68,7 +68,7 @@ int read_romlayout(const char *name)
return 1;
- if (2 != fscanf(romlayout, "%s %s\n", tempstr, rom_entries[num_rom_entries].name))
+ if (2 != fscanf(romlayout, "%255s %255s\n", tempstr, rom_entries[num_rom_entries].name))
#if 0
// fscanf does not like arbitrary comments like that :( later