Commit e2140588dd2f3e619f21d9575281b7c7ea771c09
Committed by
Marek Vasut
1 parent
16b61d13ba
Exists in
v2017.01-smarct4x
and in
37 other branches
usb: gadget: fastboot: terminate commands with NULL
Without NULL termination, various commands will read past the end of input. In particular, this was noticed with error() calls in cb_getvar and simple_strtoul() in cb_download. Since the download callback happens elsewhere, the 4k buffer should always be sufficient to handle command arguments. Signed-off-by: Eric Nelson <eric.nelson@boundarydevices.com>
Showing 1 changed file with 8 additions and 1 deletions Side-by-side Diff
drivers/usb/gadget/f_fastboot.c
... | ... | @@ -546,7 +546,14 @@ |
546 | 546 | error("unknown command: %s\n", cmdbuf); |
547 | 547 | fastboot_tx_write_str("FAILunknown command"); |
548 | 548 | } else { |
549 | - func_cb(ep, req); | |
549 | + if (req->actual < req->length) { | |
550 | + u8 *buf = (u8 *)req->buf; | |
551 | + buf[req->actual] = 0; | |
552 | + func_cb(ep, req); | |
553 | + } else { | |
554 | + error("buffer overflow\n"); | |
555 | + fastboot_tx_write_str("FAILbuffer overflow"); | |
556 | + } | |
550 | 557 | } |
551 | 558 | |
552 | 559 | if (req->status == 0) { |