#130 Fix buffer overflow when creating firmware.dfc file string


When the user uses an external firmware image, there is a call to getpathnoext() in firmware.cpp:571 in order to generate a file name for the saved firmware config file.

The size of the MMU.fw.userfile char buffer is only 260, as declared in mc.h:73. However, getpathnoext() expects the buffer size to be MAX_PATH, which is declared as 1024 in types.h:77. The buffer overflow occurs in path.h:293 with the call to strncpy(), which copies 1024 chars into MMU.fw.userfile, which is only 260 chars.

This patch fixes this bug by setting the MMU.fw.userfile char buffer to a size of MAX_PATH. This is consistent with the char buffers used for the other file names.


  • zeromus

    zeromus - 2011-06-24

    any patch related to firmware.dfc has my blessing because firmware.dfc is so half baked

  • Magliocchetti Riccardo

    Applied thanks.

  • Magliocchetti Riccardo

    • status: open --> closed-fixed

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.

No, thanks