commit d3455ac0873b03cd6af0650a069bb4ccd119d68f
author Evan Green <evgreen@chromium.org> Thu May 13 10:49:08 2021 -0700
committer Commit Bot <commit-bot@chromium.org> Fri May 14 20:06:58 2021 +0000
tree 99b5c3be76c59ecc6b6dfe2213722dcb954351dc
parent e681c371484b50c0cc35d91123b176acdc2449eb

tpmc: Use char sentinel in HexStringToUint32()

HexStringToUint32() uses sscanf(), scanning in a hex value, and
capturing the tail as well to figure out if the user passed in too much.
Switch to using a char for that overflow detection rather than a string
to avoid stack corruption. For example:

localhost# tpmc pcrread 999999999999999999999
*** stack smashing detected ***: terminated
Aborted (core dumped)

BUG=None
BRANCH=main
TEST=stop trunksd; tpmc pcrread 999999999999999999999

Signed-off-by: Evan Green <evgreen@chromium.org>
Change-Id: Idefec979d5cf6ab8a83da8654ed5591158807395
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2893695
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>

utility/tpmc.c

diff --git a/utility/tpmc.c b/utility/tpmc.c
index 5723edf..841551c 100644
--- a/utility/tpmc.c
+++ b/utility/tpmc.c
@@ -66,10 +66,10 @@
  * success, non-zero for failure.
  */
 static int HexStringToUint32(const char* string, uint32_t* value) {
-  char tail[1];
+  char tail;
   /* strtoul is not as good because it overflows silently */
-  const char* format = strncmp(string, "0x", 2) ? "%8x%s" : "0x%8x%s";
-  int n = sscanf(string, format, value, tail);
+  const char* format = strncmp(string, "0x", 2) ? "%8x%c" : "0x%8x%c";
+  int n = sscanf(string, format, value, &tail);
   return n != 1;
 }