tpmc: Use char sentinel in HexStringToUint32()
HexStringToUint32() uses sscanf(), scanning in a hex value, and
capturing the tail as well to figure out if the user passed in too much.
Switch to using a char for that overflow detection rather than a string
to avoid stack corruption. For example:
localhost# tpmc pcrread 999999999999999999999
*** stack smashing detected ***: terminated
Aborted (core dumped)
BUG=None
BRANCH=main
TEST=stop trunksd; tpmc pcrread 999999999999999999999
Signed-off-by: Evan Green <evgreen@chromium.org>
Change-Id: Idefec979d5cf6ab8a83da8654ed5591158807395
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/vboot_reference/+/2893695
Reviewed-by: Andrey Pronin <apronin@chromium.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
diff --git a/utility/tpmc.c b/utility/tpmc.c
index 5723edf..841551c 100644
--- a/utility/tpmc.c
+++ b/utility/tpmc.c
@@ -66,10 +66,10 @@
* success, non-zero for failure.
*/
static int HexStringToUint32(const char* string, uint32_t* value) {
- char tail[1];
+ char tail;
/* strtoul is not as good because it overflows silently */
- const char* format = strncmp(string, "0x", 2) ? "%8x%s" : "0x%8x%s";
- int n = sscanf(string, format, value, tail);
+ const char* format = strncmp(string, "0x", 2) ? "%8x%c" : "0x%8x%c";
+ int n = sscanf(string, format, value, &tail);
return n != 1;
}