Commit 29425be49bf301b55807dd27f55678e6d0a81060
Committed by
Marek Vasut
1 parent
25d1936a19
Exists in
v2017.01-smarct4x
and in
40 other branches
usb: fastboot: fix potential buffer overflow
cb_getvar tries to prevent overflowing the response buffer by using strncat. But strncat takes the number of data bytes copied as a limit not the total buffer length so it can still overflow. Pass the correct value instead. cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de> cc: Rob Herring <robh@kernel.org> Signed-off-by: Jeroen Hofstee <jeroen@myspectrum.nl>
Showing 1 changed file with 7 additions and 4 deletions Side-by-side Diff
drivers/usb/gadget/f_fastboot.c
... | ... | @@ -331,8 +331,11 @@ |
331 | 331 | char *cmd = req->buf; |
332 | 332 | char response[RESPONSE_LEN]; |
333 | 333 | const char *s; |
334 | + size_t chars_left; | |
334 | 335 | |
335 | 336 | strcpy(response, "OKAY"); |
337 | + chars_left = sizeof(response) - strlen(response) - 1; | |
338 | + | |
336 | 339 | strsep(&cmd, ":"); |
337 | 340 | if (!cmd) { |
338 | 341 | fastboot_tx_write_str("FAILmissing var"); |
339 | 342 | |
340 | 343 | |
341 | 344 | |
... | ... | @@ -340,18 +343,18 @@ |
340 | 343 | } |
341 | 344 | |
342 | 345 | if (!strcmp_l1("version", cmd)) { |
343 | - strncat(response, FASTBOOT_VERSION, sizeof(response)); | |
346 | + strncat(response, FASTBOOT_VERSION, chars_left); | |
344 | 347 | } else if (!strcmp_l1("bootloader-version", cmd)) { |
345 | - strncat(response, U_BOOT_VERSION, sizeof(response)); | |
348 | + strncat(response, U_BOOT_VERSION, chars_left); | |
346 | 349 | } else if (!strcmp_l1("downloadsize", cmd)) { |
347 | 350 | char str_num[12]; |
348 | 351 | |
349 | 352 | sprintf(str_num, "%08x", CONFIG_USB_FASTBOOT_BUF_SIZE); |
350 | - strncat(response, str_num, sizeof(response)); | |
353 | + strncat(response, str_num, chars_left); | |
351 | 354 | } else if (!strcmp_l1("serialno", cmd)) { |
352 | 355 | s = getenv("serial#"); |
353 | 356 | if (s) |
354 | - strncat(response, s, sizeof(response)); | |
357 | + strncat(response, s, chars_left); | |
355 | 358 | else |
356 | 359 | strcpy(response, "FAILValue not set"); |
357 | 360 | } else { |