usb: gadget: fastboot: terminate commands with NULL

Without NULL termination, various commands will read past the end of input. In particular, this was noticed with error() calls in cb_getvar and simple_strtoul() in cb_download. Since the download callback happens elsewhere, the 4k buffer should always be sufficient to handle command arguments. Signed-off-by: Eric Nelson <eric.nelson@boundarydevices.com>

usb: gadget: fastboot: terminate commands with NULL
Without NULL termination, various commands will read past the end of input. In particular, this was noticed with error() calls in cb_getvar and simple_strtoul() in cb_download. Since the download callback happens elsewhere, the 4k buffer should always be sufficient to handle command arguments. Signed-off-by: Eric Nelson <eric.nelson@boundarydevices.com>
Eric Nelson · Marek Vasut
1 parent 16b61d13ba
Showing 1 changed file with 8 additions and 1 deletions Side-by-side Diff
drivers/usb/gadget/f_fastboot.c
@@ -546,7 +546,14 @@
 		error("unknown command: %s\n", cmdbuf);
 		fastboot_tx_write_str("FAILunknown command");
 	} else {
-		func_cb(ep, req);
+		if (req->actual < req->length) {
+			u8 *buf = (u8 *)req->buf;
+			buf[req->actual] = 0;
+			func_cb(ep, req);
+		} else {
+			error("buffer overflow\n");
+			fastboot_tx_write_str("FAILbuffer overflow");
+		}
 	}
  
 	if (req->status == 0) {
...	...	@@ -546,7 +546,14 @@
546	546	error("unknown command: %s\n", cmdbuf);
547	547	fastboot_tx_write_str("FAILunknown command");
548	548	} else {
549		- func_cb(ep, req);
	549	+ if (req->actual < req->length) {
	550	+ u8 buf = (u8 )req->buf;
	551	+ buf[req->actual] = 0;
	552	+ func_cb(ep, req);
	553	+ } else {
	554	+ error("buffer overflow\n");
	555	+ fastboot_tx_write_str("FAILbuffer overflow");
	556	+ }
550	557	}
551	558
552	559	if (req->status == 0) {