usb: gadget: fastboot: terminate commands with NULL
authorEric Nelson <eric.nelson@boundarydevices.com>
Wed, 1 Oct 2014 21:30:56 +0000 (14:30 -0700)
committerMarek Vasut <marex@denx.de>
Mon, 6 Oct 2014 19:07:44 +0000 (21:07 +0200)
Without NULL termination, various commands will read past the
end of input. In particular, this was noticed with error()
calls in cb_getvar and simple_strtoul() in cb_download.

Since the download callback happens elsewhere, the 4k buffer
should always be sufficient to handle command arguments.

Signed-off-by: Eric Nelson <eric.nelson@boundarydevices.com>
drivers/usb/gadget/f_fastboot.c

index 392379dce4182caf509f60206b347eb89a8e3694..71b62e5005a12915a164acb74335b4cad6828e4b 100644 (file)
@@ -546,7 +546,14 @@ static void rx_handler_command(struct usb_ep *ep, struct usb_request *req)
                error("unknown command: %s\n", cmdbuf);
                fastboot_tx_write_str("FAILunknown command");
        } else {
-               func_cb(ep, req);
+               if (req->actual < req->length) {
+                       u8 *buf = (u8 *)req->buf;
+                       buf[req->actual] = 0;
+                       func_cb(ep, req);
+               } else {
+                       error("buffer overflow\n");
+                       fastboot_tx_write_str("FAILbuffer overflow");
+               }
        }
 
        if (req->status == 0) {