commit ec1e4d1bef6e4281d6b71f4b8546b1afca6363fa
author Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no> Mon Jun 18 14:36:14 2018 +0200
committer Carles Cufí <carles.cufi@nordicsemi.no> Wed Jun 20 16:08:58 2018 +0200
tree 3e8c51049c7668f6fcac3c72aaf1bf3c3838e0c3
parent 5e48c55df9bec29a0d44db4d5da65ca4c24a011a

boot_serial: preserve against buffer overflow for zephyr

For zephyr it was possible to make buffer overflow while decoding
incoming base64 sting. This patch correct the available
buffer size transferred to base64 decoding function, which mitigate the
issue.

Clean up boot_serial_start function from unwanted
execution constant pointers.

Signed-off-by: Andrzej Puzdrowski <andrzej.puzdrowski@nordicsemi.no>
Signed-off-by: Carles Cufi <carles.cufi@nordicsemi.no>

boot/boot_serial/src/boot_serial.c

diff --git a/boot/boot_serial/src/boot_serial.c b/boot/boot_serial/src/boot_serial.c
index 6257613..74ac828 100644
--- a/boot/boot_serial/src/boot_serial.c
+++ b/boot/boot_serial/src/boot_serial.c
@@ -514,7 +514,7 @@
     uint16_t len;
 #ifdef __ZEPHYR__
     int err;
-    err = base64_decode( &out[*out_off], maxout, &rc, in, inlen - 2);
+    err = base64_decode( &out[*out_off], maxout - *out_off, &rc, in, inlen - 2);
     if (err) {
         return -1;
     }
@@ -559,20 +559,16 @@
 {
     int rc;
     int off;
-    char *buf;
-    char *dec;
     int dec_off;
     int full_line;
     int max_input;
 
     boot_uf = f;
-    buf = in_buf;
-    dec = dec_buf;
     max_input = sizeof(in_buf);
 
     off = 0;
     while (1) {
-        rc = f->read(buf + off, sizeof(in_buf) - off, &full_line);
+        rc = f->read(in_buf + off, sizeof(in_buf) - off, &full_line);
         if (rc <= 0 && !full_line) {
             continue;
         }
@@ -586,16 +582,18 @@
             }
             continue;
         }
-        if (buf[0] == SHELL_NLIP_PKT_START1 &&
-          buf[1] == SHELL_NLIP_PKT_START2) {
+        if (in_buf[0] == SHELL_NLIP_PKT_START1 &&
+          in_buf[1] == SHELL_NLIP_PKT_START2) {
             dec_off = 0;
-            rc = boot_serial_in_dec(&buf[2], off - 2, dec, &dec_off, max_input);
-        } else if (buf[0] == SHELL_NLIP_DATA_START1 &&
-          buf[1] == SHELL_NLIP_DATA_START2) {
-            rc = boot_serial_in_dec(&buf[2], off - 2, dec, &dec_off, max_input);
+            rc = boot_serial_in_dec(&in_buf[2], off - 2, dec_buf, &dec_off, max_input);
+        } else if (in_buf[0] == SHELL_NLIP_DATA_START1 &&
+          in_buf[1] == SHELL_NLIP_DATA_START2) {
+            rc = boot_serial_in_dec(&in_buf[2], off - 2, dec_buf, &dec_off, max_input);
         }
+
+        /* serve errors: out of decode memory, or bad encoding */
         if (rc == 1) {
-            boot_serial_input(&dec[2], dec_off - 2);
+            boot_serial_input(&dec_buf[2], dec_off - 2);
         }
         off = 0;
     }