On Sat, Jan 04, 2025 at 12:21:18AM +0100, Heinrich Schuchardt wrote:
> Using strstr() instead of strnstr() creates a security concern.
>
> Fixes: 1c41a7afaa15 ("net: lwip: build lwIP")
> Signed-off-by: Heinrich Schuchardt <heinrich.schucha...@canonical.com>
> Reviewed-by: Jerome Forissier <jerome.foriss...@linaro.org>
> ---
> lib/lwip/u-boot/arch/cc.h | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/lwip/u-boot/arch/cc.h b/lib/lwip/u-boot/arch/cc.h
> index de138846358..6104c296f6f 100644
> --- a/lib/lwip/u-boot/arch/cc.h
> +++ b/lib/lwip/u-boot/arch/cc.h
> @@ -34,7 +34,7 @@
> x, __LINE__, __FILE__); } while (0)
>
> #define atoi(str) (int)dectoul(str, NULL)
> -#define lwip_strnstr(a, b, c) strstr(a, b)
> +#define lwip_strnstr(a, b, c) strnstr(a, b, c)
>
> #define LWIP_ERR_T int
> #define LWIP_CONST_CAST(target_type, val) ((target_type)((uintptr_t)val))This leads to: https://dev.azure.com/u-boot/u-boot/_build/results?buildId=10370&view=logs&j=45c0c132-56cd-504a-56c7-1b8a534aa92b&t=f95d3367-9db2-5f2a-d3ed-8901d714dd66 as a failure, that I only end up seeing in Azure (I didn't track down if there's some good reason we don't see this in Gitlab). -- Tom
signature.asc
Description: PGP signature
