DM: Fix potential buffer overflow and uninitialized variable

yonghuah · jren1 · commit 83361018b56e · 2018-07-12T17:32:20.000+08:00
- @'rpmb_check_frame()', avoid buffer overflow access
    when calling 'memcmp()'

Signed-off-by: Yonghua Huang &lt;yonghua.huang@intel.com&gt;
diff --git a/devicemodel/core/hugetlb.c b/devicemodel/core/hugetlb.c
@@ -506,7 +506,7 @@ static bool release_larger_freepage(int level_limit)
  */
 static bool hugetlb_reserve_pages(void)
 {
-	int left_gap, pg_size;
+	int left_gap = 0, pg_size;
 	int level;
 
 	printf("to reserve more free pages:\n");
diff --git a/devicemodel/hw/platform/rpmb/rpmb_backend.c b/devicemodel/hw/platform/rpmb/rpmb_backend.c
@@ -180,6 +180,7 @@ static int rpmb_check_frame(const char *cmd_str, int *err,
 {
 	uint32_t i;
 	uint8_t mac[32];
+	size_t len;
 
 	for (i = 0; i < frame_cnt; i++) {
 		if (write_counter && *write_counter != swap32(frames[i].write_counter)) {
@@ -203,7 +204,11 @@ static int rpmb_check_frame(const char *cmd_str, int *err,
 		return -1;
 	}
 
-	if (addr && !memcmp(cmd_str, WRITE_DATA_STR, sizeof(WRITE_DATA_STR))) {
+	len = strlen(cmd_str) + 1;
+	if (len > sizeof(WRITE_DATA_STR))
+		len = sizeof(WRITE_DATA_STR);
+
+	if (addr && !memcmp(cmd_str, WRITE_DATA_STR, len)) {
 		if (*addr < get_common_blocks()) {
 			*err = RPMB_RES_WRITE_FAILURE;
 			DPRINTF(("%s: Common block is read only\n", cmd_str));

Original file line number	Diff line number	Diff line change
`@@ -506,7 +506,7 @@ static bool release_larger_freepage(int level_limit)`
`506`	`506`	`*/`
`507`	`507`	`static bool hugetlb_reserve_pages(void)`
`508`	`508`	`{`
`509`		`- int left_gap, pg_size;`
	`509`	`+ int left_gap = 0, pg_size;`
`510`	`510`	`int level;`
`511`	`511`
`512`	`512`	`printf("to reserve more free pages:\n");`