[PATCH 5/8] usb: sandbox: Bounds check read from buffer

Andrew Scull ascull at google.com
Sun Apr 3 12:39:12 CEST 2022


The buffer is 512 bytes but read requests can be 800 bytes. Limit the
request to the size of the buffer.

Signed-off-by: Andrew Scull <ascull at google.com>
Cc: Simon Glass <sjg at chromium.org>
Cc: Marek Vasut <marex at denx.de>
---
 drivers/usb/emul/sandbox_flash.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/usb/emul/sandbox_flash.c b/drivers/usb/emul/sandbox_flash.c
index edabc1b3a7..cc80f67133 100644
--- a/drivers/usb/emul/sandbox_flash.c
+++ b/drivers/usb/emul/sandbox_flash.c
@@ -345,6 +345,8 @@ static int sandbox_flash_bulk(struct udevice *dev, struct usb_device *udev,
 			} else {
 				if (priv->alloc_len && len > priv->alloc_len)
 					len = priv->alloc_len;
+				if (len > sizeof(priv->buff))
+					len = sizeof(priv->buff);
 				memcpy(buff, priv->buff, len);
 				priv->phase = PHASE_STATUS;
 			}
-- 
2.35.1.1094.g7c7d902a7c-goog



More information about the U-Boot mailing list