From: Seung-Woo Kim Date: Thu, 10 May 2018 01:52:14 +0000 (+0900) Subject: gadget: f_thor: fix filename overflow X-Git-Tag: v2018.07-rc1~130^2~9 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=f9e8dc0abda94869d2734843c1c14ba6f2867031;p=oweals%2Fu-boot.git gadget: f_thor: fix filename overflow The thor sender can send filename without null character and it is used without consideration of overflow. Actually, character array for filename is assigned with DEFINE_CACHE_ALIGN_BUFFER() and it is bigger than size of memcpy, so there was no real overflow. Fix filename overflow for code level integrity. Signed-off-by: Seung-Woo Kim --- diff --git a/drivers/usb/gadget/f_thor.c b/drivers/usb/gadget/f_thor.c index f874509cf3..6d38cb6d49 100644 --- a/drivers/usb/gadget/f_thor.c +++ b/drivers/usb/gadget/f_thor.c @@ -47,7 +47,7 @@ DEFINE_CACHE_ALIGN_BUFFER(unsigned char, thor_rx_data_buf, /* ********************************************************** */ /* THOR protocol - transmission handling */ /* ********************************************************** */ -DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE); +DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE + 1); static unsigned long long int thor_file_size; static int alt_setting_num; @@ -276,6 +276,7 @@ static long long int process_rqt_download(const struct rqt_box *rqt) thor_file_size = rqt->int_data[1]; memcpy(f_name, rqt->str_data[0], F_NAME_BUF_SIZE); + f_name[F_NAME_BUF_SIZE] = '\0'; debug("INFO: name(%s, %d), size(%llu), type(%d)\n", f_name, 0, thor_file_size, file_type);