Skip to content

drivers: mdio: shell: Fix various buffer overflows #93257

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+32 −7
Open

drivers: mdio: shell: Fix various buffer overflows #93257

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
39 changes: 32 additions & 7 deletions drivers/mdio/mdio_shell.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,8 +32,13 @@ static void device_name_get(size_t idx, struct shell_static_entry *entry)

SHELL_DYNAMIC_CMD_CREATE(dsub_device_name, device_name_get);

static int parse_device_arg(const struct shell *sh, char **argv, const struct device **dev)
static int parse_device_arg(const struct shell *sh, size_t argc,
char **argv, const struct device **dev)
{
if (argc < 2) {
shell_error(sh, "not enough arguments");
return -EINVAL;
}
*dev = shell_device_get_binding(argv[1]);
if (!*dev) {
shell_error(sh, "device %s not found", argv[1]);
Expand All @@ -55,12 +60,12 @@ static int cmd_mdio_scan(const struct shell *sh, size_t argc, char **argv)
uint16_t reg_addr;
int ret;

ret = parse_device_arg(sh, argv, &dev);
ret = parse_device_arg(sh, argc, argv, &dev);
if (ret < 0) {
return ret;
}

if (argc >= 2) {
if (argc >= 3) {
reg_addr = strtol(argv[2], NULL, 16);
} else {
reg_addr = 0;
Expand Down Expand Up @@ -98,11 +103,16 @@ static int cmd_mdio_write(const struct shell *sh, size_t argc, char **argv)
uint16_t port_addr;
int ret;

ret = parse_device_arg(sh, argv, &dev);
ret = parse_device_arg(sh, argc, argv, &dev);
if (ret < 0) {
return ret;
}

if (argc < 5) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this and the below new checks are not needed as the commands take no optional arguments and therefore this is already checked by the shell.

zephyr/include/zephyr/shell/shell.h

Lines 531 to 532 in 72dc0e5

* @note If a command will be called with wrong number of arguments shell will
* print an error message and command handler will not be called.

shell_error(sh, "not enough arguments");
return -EINVAL;
}

port_addr = strtol(argv[2], NULL, 16);
reg_addr = strtol(argv[3], NULL, 16);
data = strtol(argv[4], NULL, 16);
Expand Down Expand Up @@ -130,11 +140,16 @@ static int cmd_mdio_read(const struct shell *sh, size_t argc, char **argv)
uint16_t port_addr;
int ret;

ret = parse_device_arg(sh, argv, &dev);
ret = parse_device_arg(sh, argc, argv, &dev);
if (ret < 0) {
return ret;
}

if (argc < 4) {
shell_error(sh, "not enough arguments");
return -EINVAL;
}

port_addr = strtol(argv[2], NULL, 16);
reg_addr = strtol(argv[3], NULL, 16);

Expand Down Expand Up @@ -164,11 +179,16 @@ static int cmd_mdio_write_45(const struct shell *sh, size_t argc, char **argv)
uint8_t port_addr;
int ret;

ret = parse_device_arg(sh, argv, &dev);
ret = parse_device_arg(sh, argc, argv, &dev);
if (ret < 0) {
return ret;
}

if (argc < 6) {
shell_error(sh, "not enough arguments");
return -EINVAL;
}

port_addr = strtol(argv[2], NULL, 16);
dev_addr = strtol(argv[3], NULL, 16);
reg_addr = strtol(argv[4], NULL, 16);
Expand Down Expand Up @@ -198,11 +218,16 @@ static int cmd_mdio_read_c45(const struct shell *sh, size_t argc, char **argv)
uint8_t port_addr;
int ret;

ret = parse_device_arg(sh, argv, &dev);
ret = parse_device_arg(sh, argc, argv, &dev);
if (ret < 0) {
return ret;
}

if (argc < 5) {
shell_error(sh, "not enough arguments");
return -EINVAL;
}

port_addr = strtol(argv[2], NULL, 16);
dev_addr = strtol(argv[3], NULL, 16);
reg_addr = strtol(argv[4], NULL, 16);
Expand Down