leandrof/u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

gadget: f_thor: fix filename overflow

Browse Source 
The thor sender can send filename without null character and it is
used without consideration of overflow. Actually, character array
for filename is assigned with DEFINE_CACHE_ALIGN_BUFFER() and it
is bigger than size of memcpy, so there was no real overflow.
Fix filename overflow for code level integrity.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
This commit is contained in:
Seung-Woo Kim 2018-05-10 10:52:14 +09:00 committed by Marek Vasut
parent 233719cc40
commit f9e8dc0abd
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
drivers/usb/gadget/f_thor.c
View File

@ -47,7 +47,7 @@ DEFINE_CACHE_ALIGN_BUFFER(unsigned char, thor_rx_data_buf,
/* ********************************************************** */
/* THOR protocol - transmission handling */
/* ********************************************************** */
DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE);
DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE + 1);
static unsigned long long int thor_file_size;
static int alt_setting_num;
@ -276,6 +276,7 @@ static long long int process_rqt_download(const struct rqt_box *rqt)
thor_file_size = rqt->int_data[1];
memcpy(f_name, rqt->str_data[0], F_NAME_BUF_SIZE);
f_name[F_NAME_BUF_SIZE] = '\0';
debug("INFO: name(%s, %d), size(%llu), type(%d)\n",
f_name, 0, thor_file_size, file_type);