[U-Boot] [PATCH 1/2] gadget: f_thor: fix filename overflow
Seung-Woo Kim
sw0312.kim at samsung.com
Thu May 10 01:52:14 UTC 2018
The thor sender can send filename without null character and it is
used without consideration of overflow. Actually, character array
for filename is assigned with DEFINE_CACHE_ALIGN_BUFFER() and it
is bigger than size of memcpy, so there was no real overflow.
Fix filename overflow for code level integrity.
Signed-off-by: Seung-Woo Kim <sw0312.kim at samsung.com>
---
drivers/usb/gadget/f_thor.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/f_thor.c b/drivers/usb/gadget/f_thor.c
index f874509..6d38cb6 100644
--- a/drivers/usb/gadget/f_thor.c
+++ b/drivers/usb/gadget/f_thor.c
@@ -47,7 +47,7 @@ DEFINE_CACHE_ALIGN_BUFFER(unsigned char, thor_rx_data_buf,
/* ********************************************************** */
/* THOR protocol - transmission handling */
/* ********************************************************** */
-DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE);
+DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE + 1);
static unsigned long long int thor_file_size;
static int alt_setting_num;
@@ -276,6 +276,7 @@ static long long int process_rqt_download(const struct rqt_box *rqt)
thor_file_size = rqt->int_data[1];
memcpy(f_name, rqt->str_data[0], F_NAME_BUF_SIZE);
+ f_name[F_NAME_BUF_SIZE] = '\0';
debug("INFO: name(%s, %d), size(%llu), type(%d)\n",
f_name, 0, thor_file_size, file_type);
--
1.7.9.5
More information about the U-Boot
mailing list