tools: Ensure that kernelfile and kernelparams are null-terminated

Analogously to read_env(), ensure also when reading an environment from a specified file that those statically sized strings are properly terminated before accessing them. Prevents potential out-of-bounds read accesses in bg_printenv or bg_setenv. Addresses CVE-2023-39950 Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
siemens · Aug 10, 2023 · 965d65c · 965d65c
1 parent 16f8ec2
commit 965d65c
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/tools/bg_envtools.c b/tools/bg_envtools.c
@@ -154,5 +154,10 @@ bool get_env(char *configfilepath, BG_ENVDATA *data)
 		VERBOSE(stderr,
 			"Error closing environment file after reading.\n");
 	};
+
+	/* enforce NULL-termination of strings */
+	data->kernelfile[ENV_STRING_LENGTH - 1] = 0;
+	data->kernelparams[ENV_STRING_LENGTH - 1] = 0;
+
 	return result;
 }