usb: fastboot: fix potential buffer overflow
authorJeroen Hofstee <jeroen@myspectrum.nl>
Fri, 13 Jun 2014 22:57:14 +0000 (00:57 +0200)
committerMarek Vasut <marex@denx.de>
Wed, 25 Jun 2014 20:44:40 +0000 (22:44 +0200)
cb_getvar tries to prevent overflowing the response buffer
by using strncat. But strncat takes the number of data bytes
copied as a limit not the total buffer length so it can still
overflow. Pass the correct value instead.

cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
cc: Rob Herring <robh@kernel.org>
Signed-off-by: Jeroen Hofstee <jeroen@myspectrum.nl>
drivers/usb/gadget/f_fastboot.c

index 9dd85b636e97fbb7f7067b7087cd4928d1e6dba3..7a1acb9df02be0d47a7fd492eaa1004d9c45232a 100644 (file)
@@ -331,8 +331,11 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req)
        char *cmd = req->buf;
        char response[RESPONSE_LEN];
        const char *s;
+       size_t chars_left;
 
        strcpy(response, "OKAY");
+       chars_left = sizeof(response) - strlen(response) - 1;
+
        strsep(&cmd, ":");
        if (!cmd) {
                fastboot_tx_write_str("FAILmissing var");
@@ -340,18 +343,18 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req)
        }
 
        if (!strcmp_l1("version", cmd)) {
-               strncat(response, FASTBOOT_VERSION, sizeof(response));
+               strncat(response, FASTBOOT_VERSION, chars_left);
        } else if (!strcmp_l1("bootloader-version", cmd)) {
-               strncat(response, U_BOOT_VERSION, sizeof(response));
+               strncat(response, U_BOOT_VERSION, chars_left);
        } else if (!strcmp_l1("downloadsize", cmd)) {
                char str_num[12];
 
                sprintf(str_num, "%08x", CONFIG_USB_FASTBOOT_BUF_SIZE);
-               strncat(response, str_num, sizeof(response));
+               strncat(response, str_num, chars_left);
        } else if (!strcmp_l1("serialno", cmd)) {
                s = getenv("serial#");
                if (s)
-                       strncat(response, s, sizeof(response));
+                       strncat(response, s, chars_left);
                else
                        strcpy(response, "FAILValue not set");
        } else {