On Sat, Jan 04, 2025 at 12:21:18AM +0100, Heinrich Schuchardt wrote: > Using strstr() instead of strnstr() creates a security concern. > > Fixes: 1c41a7afaa15 ("net: lwip: build lwIP") > Signed-off-by: Heinrich Schuchardt <heinrich.schucha...@canonical.com> > Reviewed-by: Jerome Forissier <jerome.foriss...@linaro.org> > --- > lib/lwip/u-boot/arch/cc.h | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/lwip/u-boot/arch/cc.h b/lib/lwip/u-boot/arch/cc.h > index de138846358..6104c296f6f 100644 > --- a/lib/lwip/u-boot/arch/cc.h > +++ b/lib/lwip/u-boot/arch/cc.h > @@ -34,7 +34,7 @@ > x, __LINE__, __FILE__); } while (0) > > #define atoi(str) (int)dectoul(str, NULL) > -#define lwip_strnstr(a, b, c) strstr(a, b) > +#define lwip_strnstr(a, b, c) strnstr(a, b, c) > > #define LWIP_ERR_T int > #define LWIP_CONST_CAST(target_type, val) ((target_type)((uintptr_t)val))
This leads to: https://dev.azure.com/u-boot/u-boot/_build/results?buildId=10370&view=logs&j=45c0c132-56cd-504a-56c7-1b8a534aa92b&t=f95d3367-9db2-5f2a-d3ed-8901d714dd66 as a failure, that I only end up seeing in Azure (I didn't track down if there's some good reason we don't see this in Gitlab). -- Tom
signature.asc
Description: PGP signature