leandrof/u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

usb: sandbox: Bounds check read from buffer

Browse Source 
The buffer is 512 bytes but read requests can be 800 bytes. Limit the
request to the size of the buffer.

Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Andrew Scull 2022-04-03 10:39:12 +00:00 committed by Tom Rini
parent 62120155b6
commit beb341ae7f
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/usb/emul/sandbox_flash.c
View File

@ -345,6 +345,8 @@ static int sandbox_flash_bulk(struct udevice *dev, struct usb_device *udev,
} else {
if (priv->alloc_len && len > priv->alloc_len)
len = priv->alloc_len;
if (len > sizeof(priv->buff))
len = sizeof(priv->buff);
memcpy(buff, priv->buff, len);
priv->phase = PHASE_STATUS;
}