[rtems commit] shell/shell.c: Fix illegal string copy

Sebastian Huber sebh at rtems.org
Thu Oct 15 17:23:00 UTC 2020 

Module:    rtems
Branch:    master
Commit:    529402f597184a735a691aa95fb32ab9a42946ef
Changeset: http://git.rtems.org/rtems/commit/?id=529402f597184a735a691aa95fb32ab9a42946ef

Author:    Frank Kühndel <frank.kuehndel at embedded-brains.de>
Date:      Mon Oct 12 18:01:45 2020 +0200

shell/shell.c:  Fix illegal string copy

This is an illegal use of strcpy() because one is not allowed to
use this function with overlapping source and destination buffers;
whereas memmove() is explicitly designed to handle such cases.

The copiler warning was:

../../../cpukit/libmisc/shell/shell.c:626:13: warning:
'strcpy' accessing between 1 and 2147483645 bytes at offsets
0 and [1, 2147483647] may overlap up to 2147483644 bytes at
offset [1, 2147483644] [-Wrestrict]

---

 cpukit/libmisc/shell/shell.c | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/cpukit/libmisc/shell/shell.c b/cpukit/libmisc/shell/shell.c
index c5fc1f5..3c357a1 100644
--- a/cpukit/libmisc/shell/shell.c
+++ b/cpukit/libmisc/shell/shell.c
@@ -288,6 +288,16 @@ void rtems_shell_dup_current_env(rtems_shell_env_t *copy)
 }
 
 /*
+ *  Move a string in a buffer to the left (e.g. when a character
+ *  is deleted). The string must be NUL-terminated and the
+ *  NUL-character will be moved too.
+ */
+static void rtems_shell_move_left(char *start, size_t offset)
+{
+  memmove(start, start + offset, strlen(start + offset) + 1);
+}
+
+/*
  *  Get a line of user input with modest features
  */
 static int rtems_shell_line_editor(
@@ -393,7 +403,7 @@ static int rtems_shell_line_editor(
           {
             int end;
             int bs;
-            strcpy (&line[col], &line[col + 1]);
+            rtems_shell_move_left(line + col, 1);
             if (output) {
               fprintf(out,"\r%s%s ", prompt, line);
               end = (int) strlen (line);
@@ -432,7 +442,7 @@ static int rtems_shell_line_editor(
         case 4:                         /* Control-D */
           if (strlen(line)) {
             if (col < strlen(line)) {
-              strcpy (line + col, line + col + 1);
+              rtems_shell_move_left(line + col, 1);
               if (output) {
                 int bs;
                 fprintf(out,"%s \b", line + col);
@@ -508,7 +518,7 @@ static int rtems_shell_line_editor(
           {
             int bs;
             col--;
-            strcpy (line + col, line + col + 1);
+            rtems_shell_move_left(line + col, 1);
             if (output) {
               fprintf(out,"\b%s \b", line + col);
               for (bs = 0; bs < ((int) strlen (line) - col); bs++)
@@ -625,7 +635,7 @@ static int rtems_shell_line_editor(
             int clen = (int) strlen (line);
             int bs;
 
-            strcpy (line, line + col);
+            rtems_shell_move_left(line, col);
             if (output) {
               fprintf(out,"\r%s%*c", prompt, clen, ' ');
               fprintf(out,"\r%s%s", prompt, line);

More information about the vc mailing list