gadget: f_thor: fix filename overflow
authorSeung-Woo Kim <sw0312.kim@samsung.com>
Thu, 10 May 2018 01:52:14 +0000 (10:52 +0900)
committerMarek Vasut <marex@denx.de>
Fri, 18 May 2018 11:17:30 +0000 (13:17 +0200)
The thor sender can send filename without null character and it is
used without consideration of overflow. Actually, character array
for filename is assigned with DEFINE_CACHE_ALIGN_BUFFER() and it
is bigger than size of memcpy, so there was no real overflow.
Fix filename overflow for code level integrity.

Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
drivers/usb/gadget/f_thor.c

index f874509cf38d506e8065cc590b70ad02fc4f11c7..6d38cb6d498c55e84272d2a6af2e880aa03ed1bd 100644 (file)
@@ -47,7 +47,7 @@ DEFINE_CACHE_ALIGN_BUFFER(unsigned char, thor_rx_data_buf,
 /* ********************************************************** */
 /*         THOR protocol - transmission handling             */
 /* ********************************************************** */
-DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE);
+DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE + 1);
 static unsigned long long int thor_file_size;
 static int alt_setting_num;
 
@@ -276,6 +276,7 @@ static long long int process_rqt_download(const struct rqt_box *rqt)
 
                thor_file_size = rqt->int_data[1];
                memcpy(f_name, rqt->str_data[0], F_NAME_BUF_SIZE);
+               f_name[F_NAME_BUF_SIZE] = '\0';
 
                debug("INFO: name(%s, %d), size(%llu), type(%d)\n",
                      f_name, 0, thor_file_size, file_type);