diff options
author | Jeroen Hofstee <jeroen@myspectrum.nl> | 2014-06-14 00:57:14 +0200 |
---|---|---|
committer | Marek Vasut <marex@denx.de> | 2014-06-25 22:44:40 +0200 |
commit | 29425be49bf301b55807dd27f55678e6d0a81060 (patch) | |
tree | 7522de18aa885aaf1cfdb6d5bb525ac0b800ba5c | |
parent | 25d1936a192ac62b8df5dc33e37455dcaeb19fae (diff) | |
download | u-boot-imx-29425be49bf301b55807dd27f55678e6d0a81060.zip u-boot-imx-29425be49bf301b55807dd27f55678e6d0a81060.tar.gz u-boot-imx-29425be49bf301b55807dd27f55678e6d0a81060.tar.bz2 |
usb: fastboot: fix potential buffer overflow
cb_getvar tries to prevent overflowing the response buffer
by using strncat. But strncat takes the number of data bytes
copied as a limit not the total buffer length so it can still
overflow. Pass the correct value instead.
cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
cc: Rob Herring <robh@kernel.org>
Signed-off-by: Jeroen Hofstee <jeroen@myspectrum.nl>
-rw-r--r-- | drivers/usb/gadget/f_fastboot.c | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c index 9dd85b6..7a1acb9 100644 --- a/drivers/usb/gadget/f_fastboot.c +++ b/drivers/usb/gadget/f_fastboot.c @@ -331,8 +331,11 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req) char *cmd = req->buf; char response[RESPONSE_LEN]; const char *s; + size_t chars_left; strcpy(response, "OKAY"); + chars_left = sizeof(response) - strlen(response) - 1; + strsep(&cmd, ":"); if (!cmd) { fastboot_tx_write_str("FAILmissing var"); @@ -340,18 +343,18 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req) } if (!strcmp_l1("version", cmd)) { - strncat(response, FASTBOOT_VERSION, sizeof(response)); + strncat(response, FASTBOOT_VERSION, chars_left); } else if (!strcmp_l1("bootloader-version", cmd)) { - strncat(response, U_BOOT_VERSION, sizeof(response)); + strncat(response, U_BOOT_VERSION, chars_left); } else if (!strcmp_l1("downloadsize", cmd)) { char str_num[12]; sprintf(str_num, "%08x", CONFIG_USB_FASTBOOT_BUF_SIZE); - strncat(response, str_num, sizeof(response)); + strncat(response, str_num, chars_left); } else if (!strcmp_l1("serialno", cmd)) { s = getenv("serial#"); if (s) - strncat(response, s, sizeof(response)); + strncat(response, s, chars_left); else strcpy(response, "FAILValue not set"); } else { |