From 078a5a0e7ca006f6536d3a72e94f49f4d52f8953 Mon Sep 17 00:00:00 2001
From: Yu-Ping Wu <yupingso@chromium.org>
Date: Thu, 15 Aug 2024 10:17:38 +0800
Subject: commonlib/bsd/string: Fix pointer overflow for strnlen()

When `maxlen` is large (such as SIZE_MAX), the `end` pointer will
overflow, causing strnlen() to incorrectly return 0.

To not make the implementation over-complicated, fix the problem by
using a counter.

BUG=b:359951393
TEST=make unit-tests -j
BRANCH=none

Change-Id: Ic9d983b11391f5e05c2bceb262682aced5206f94
Signed-off-by: Yu-Ping Wu <yupingso@chromium.org>
Reviewed-on: https://review.coreboot.org/c/coreboot/+/83914
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Karthik Ramasubramanian <kramasub@google.com>
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Mario Scheithauer <mario.scheithauer@siemens.com>
---
 src/commonlib/bsd/string.c | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

(limited to 'src/commonlib')

diff --git a/src/commonlib/bsd/string.c b/src/commonlib/bsd/string.c
index 16cd4b5e1d..56670e8862 100644
--- a/src/commonlib/bsd/string.c
+++ b/src/commonlib/bsd/string.c
@@ -15,12 +15,10 @@ size_t strlen(const char *str)
 
 size_t strnlen(const char *str, size_t maxlen)
 {
-	const char *ptr = str;
-	const char *end = str + maxlen + 1;
-
-	while (*ptr++ && ptr < end)
-		;
-	return ptr - str - 1;
+	size_t len = 0;
+	while (*str++ && len < maxlen)
+		len++;
+	return len;
 }
 
 char *strcat(char *dst, const char *src)
-- 
cgit v1.2.3