[PATCH 5/8] usb: sandbox: Bounds check read from buffer
Andrew Scull
ascull at google.com
Sun Apr 3 12:39:12 CEST 2022
The buffer is 512 bytes but read requests can be 800 bytes. Limit the
request to the size of the buffer.
Signed-off-by: Andrew Scull <ascull at google.com>
Cc: Simon Glass <sjg at chromium.org>
Cc: Marek Vasut <marex at denx.de>
---
drivers/usb/emul/sandbox_flash.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/usb/emul/sandbox_flash.c b/drivers/usb/emul/sandbox_flash.c
index edabc1b3a7..cc80f67133 100644
--- a/drivers/usb/emul/sandbox_flash.c
+++ b/drivers/usb/emul/sandbox_flash.c
@@ -345,6 +345,8 @@ static int sandbox_flash_bulk(struct udevice *dev, struct usb_device *udev,
} else {
if (priv->alloc_len && len > priv->alloc_len)
len = priv->alloc_len;
+ if (len > sizeof(priv->buff))
+ len = sizeof(priv->buff);
memcpy(buff, priv->buff, len);
priv->phase = PHASE_STATUS;
}
--
2.35.1.1094.g7c7d902a7c-goog
More information about the U-Boot
mailing list