Eric Lee / smarc-uboot

Download as
Browse Code ยป

Commit 29425be49bf301b55807dd27f55678e6d0a81060

Authored by Jeroen Hofstee
Committed by Marek Vasut
1 parent 25d1936a19
Exists in v2017.01-smarct4x and in 40 other branches 8qm-imx_v2020.04_5.4.70_2.3.0, emb_lf_v2022.04, imx_v2015.04_4.1.15_1.0.0_ga, pitx_8mp_lf_v2020.04, smarc-8m-android-10.0.0_2.6.0, smarc-8m-android-11.0.0_2.0.0, smarc-8mp-android-11.0.0_2.0.0, smarc-imx6_v2018.03_4.14.98_2.0.0_ga, smarc-imx7_v2017.03_4.9.11_1.0.0_ga, smarc-imx7_v2018.03_4.14.98_2.0.0_ga, smarc-imx_v2015.04_4.1.15_1.0.0_ga, smarc-imx_v2017.03_4.9.11_1.0.0_ga, smarc-imx_v2017.03_4.9.88_2.0.0_ga, smarc-imx_v2017.03_o8.1.0_1.3.0_8m, smarc-imx_v2018.03_4.14.78_1.0.0_ga, smarc-m6.0.1_2.1.0-ga, smarc-n7.1.2_2.0.0-ga, smarc-rel_imx_4.1.15_2.0.0_ga, smarc_8m-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8m-imx_v2019.04_4.19.35_1.1.0, smarc_8m_00d0-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8mm-imx_v2018.03_4.14.98_2.0.0_ga, smarc_8mm-imx_v2019.04_4.19.35_1.1.0, smarc_8mm-imx_v2020.04_5.4.24_2.1.0, smarc_8mp_lf_v2020.04, smarc_8mq-imx_v2020.04_5.4.24_2.1.0, smarc_8mq_lf_v2020.04, ti-u-boot-2015.07, v2014.07, v2014.07-smarct33, v2014.07-smartmen, v2015.07-smarct33, v2015.07-smarct33-emmc, v2015.07-smarct4x, v2016.05-dlt, v2016.05-smarct3x, v2016.05-smarct3x-emmc, v2016.05-smarct4x, v2017.01-smarct3x, v2017.01-smarct3x-emmc

usb: fastboot: fix potential buffer overflow 

cb_getvar tries to prevent overflowing the response buffer
by using strncat. But strncat takes the number of data bytes
copied as a limit not the total buffer length so it can still
overflow. Pass the correct value instead.

cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
cc: Rob Herring <robh@kernel.org>
Signed-off-by: Jeroen Hofstee <jeroen@myspectrum.nl>

Showing 1 changed file with 7 additions and 4 deletions Side-by-side Diff

drivers/usb/gadget/f_fastboot.c
Diff comments   View file @ 29425be
... ... @@ -331,8 +331,11 @@
331 331 char *cmd = req->buf;
332 332 char response[RESPONSE_LEN];
333 333 const char *s;
  334 + size_t chars_left;
334 335  
335 336 strcpy(response, "OKAY");
  337 + chars_left = sizeof(response) - strlen(response) - 1;
  338 +
336 339 strsep(&cmd, ":");
337 340 if (!cmd) {
338 341 fastboot_tx_write_str("FAILmissing var");
339 342  
340 343  
341 344  
... ... @@ -340,18 +343,18 @@
340 343 }
341 344  
342 345 if (!strcmp_l1("version", cmd)) {
343   - strncat(response, FASTBOOT_VERSION, sizeof(response));
  346 + strncat(response, FASTBOOT_VERSION, chars_left);
344 347 } else if (!strcmp_l1("bootloader-version", cmd)) {
345   - strncat(response, U_BOOT_VERSION, sizeof(response));
  348 + strncat(response, U_BOOT_VERSION, chars_left);
346 349 } else if (!strcmp_l1("downloadsize", cmd)) {
347 350 char str_num[12];
348 351  
349 352 sprintf(str_num, "%08x", CONFIG_USB_FASTBOOT_BUF_SIZE);
350   - strncat(response, str_num, sizeof(response));
  353 + strncat(response, str_num, chars_left);
351 354 } else if (!strcmp_l1("serialno", cmd)) {
352 355 s = getenv("serial#");
353 356 if (s)
354   - strncat(response, s, sizeof(response));
  357 + strncat(response, s, chars_left);
355 358 else
356 359 strcpy(response, "FAILValue not set");
357 360 } else {