From c75e7da0b53dd67363b724502e91901e89097886 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 27 May 2020 16:22:07 +0200 Subject: [PATCH] efi: as extra paranoia NUL terminate UTF-16 strings with three NUL bytes This is a safey net anyway, let's make it fully safe: if the data ends on an uneven byte, then we need to complete the UTF-16 codepoint first, before adding the final NUL byte pair. Hence let's suffix with three NULs, instead of just two. --- src/basic/efivars.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/basic/efivars.c b/src/basic/efivars.c index 6b6f461446..496b5d4d44 100644 --- a/src/basic/efivars.c +++ b/src/basic/efivars.c @@ -101,7 +101,8 @@ int efi_get_variable( return -errno; if (try >= EFI_N_RETRIES) return -EBUSY; - usleep(EFI_RETRY_DELAY); + + (void) usleep(EFI_RETRY_DELAY); } if (n != sizeof(a)) @@ -109,7 +110,7 @@ int efi_get_variable( } if (ret_value) { - buf = malloc(st.st_size - 4 + 2); + buf = malloc(st.st_size - 4 + 3); if (!buf) return -ENOMEM; @@ -118,9 +119,10 @@ int efi_get_variable( return -errno; assert(n <= st.st_size - 4); - /* Always NUL terminate (2 bytes, to protect UTF-16) */ + /* Always NUL terminate (3 bytes, to properly protect UTF-16, even if truncated in the middle of a character) */ ((char*) buf)[n] = 0; ((char*) buf)[n + 1] = 0; + ((char*) buf)[n + 2] = 0; } else /* Assume that the reported size is accurate */ n = st.st_size - 4;