[U-Boot] [PATCH] usb: fastboot: fix potential buffer overflow
Jeroen Hofstee
jeroen at myspectrum.nl
Sat Jun 14 00:57:14 CEST 2014
cb_getvar tries to prevent overflowing the response buffer
by using strncat. But strncat takes the number of data bytes
copied as a limit not the total buffer length so it can still
overflow. Pass the correct value instead.
cc: Sebastian Andrzej Siewior <bigeasy at linutronix.de>
cc: Rob Herring <robh at kernel.org>
Signed-off-by: Jeroen Hofstee <jeroen at myspectrum.nl>
---
drivers/usb/gadget/f_fastboot.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c
index 9dd85b6..7a1acb9 100644
--- a/drivers/usb/gadget/f_fastboot.c
+++ b/drivers/usb/gadget/f_fastboot.c
@@ -331,8 +331,11 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req)
char *cmd = req->buf;
char response[RESPONSE_LEN];
const char *s;
+ size_t chars_left;
strcpy(response, "OKAY");
+ chars_left = sizeof(response) - strlen(response) - 1;
+
strsep(&cmd, ":");
if (!cmd) {
fastboot_tx_write_str("FAILmissing var");
@@ -340,18 +343,18 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req)
}
if (!strcmp_l1("version", cmd)) {
- strncat(response, FASTBOOT_VERSION, sizeof(response));
+ strncat(response, FASTBOOT_VERSION, chars_left);
} else if (!strcmp_l1("bootloader-version", cmd)) {
- strncat(response, U_BOOT_VERSION, sizeof(response));
+ strncat(response, U_BOOT_VERSION, chars_left);
} else if (!strcmp_l1("downloadsize", cmd)) {
char str_num[12];
sprintf(str_num, "%08x", CONFIG_USB_FASTBOOT_BUF_SIZE);
- strncat(response, str_num, sizeof(response));
+ strncat(response, str_num, chars_left);
} else if (!strcmp_l1("serialno", cmd)) {
s = getenv("serial#");
if (s)
- strncat(response, s, sizeof(response));
+ strncat(response, s, chars_left);
else
strcpy(response, "FAILValue not set");
} else {
--
1.8.3.2
More information about the U-Boot
mailing list