The function label_boot_extension() calls snprintf on a buffer overlay_dir. However, this buffer is not initialized properly. In the "if" branch it is initialized using a variable "len", which is smaller than the resulting buffer. In the "else" branch this variable is not initialized at all. This results in a crash when calling a "sysboot" command.
This commit fixes this issue. Signed-off-by: Surkov Kirill <[email protected]> --- boot/pxe_utils.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/boot/pxe_utils.c b/boot/pxe_utils.c index 038416203fc..a2a9810a4cf 100644 --- a/boot/pxe_utils.c +++ b/boot/pxe_utils.c @@ -474,7 +474,7 @@ static void label_boot_extension(struct pxe_context *ctx, slash = ""; dir_len = strlen(label->fdtdir) + strlen(slash) + 1; - overlay_dir = calloc(1, len); + overlay_dir = calloc(1, dir_len); if (!overlay_dir) return; @@ -482,6 +482,9 @@ static void label_boot_extension(struct pxe_context *ctx, slash); } else { dir_len = 2; + overlay_dir = calloc(1, dir_len); + if (!overlay_dir) + return; snprintf(overlay_dir, dir_len, "/"); } -- 2.43.0
