From 487730cc8bc8895bd20013b5d8e9f4f4deddae56 Mon Sep 17 00:00:00 2001 From: Kris Kennaway Date: Mon, 10 Jul 2000 06:33:55 +0000 Subject: [PATCH] Don't call printf with no format string. This is technically a security vulnerability and could in principle be used to upload a new kernel from the bootloader :-) --- sys/boot/common/commands.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/boot/common/commands.c b/sys/boot/common/commands.c index 0aab78e51bd..b0fb412a9ea 100644 --- a/sys/boot/common/commands.c +++ b/sys/boot/common/commands.c @@ -326,7 +326,7 @@ command_echo(int argc, char *argv[]) s = unargv(argc, argv); if (s != NULL) { - printf(s); + printf("%s", s); free(s); } if (!nl) @@ -378,7 +378,7 @@ command_read(int argc, char *argv[]) name = (argc > 0) ? argv[0]: NULL; if (prompt != NULL) - printf(prompt); + printf("%s", prompt); if (timeout >= 0) { when = time(NULL) + timeout; while (!ischar())