From 29425be49bf301b55807dd27f55678e6d0a81060 Mon Sep 17 00:00:00 2001 From: Jeroen Hofstee Date: Sat, 14 Jun 2014 00:57:14 +0200 Subject: [PATCH] usb: fastboot: fix potential buffer overflow cb_getvar tries to prevent overflowing the response buffer by using strncat. But strncat takes the number of data bytes copied as a limit not the total buffer length so it can still overflow. Pass the correct value instead. cc: Sebastian Andrzej Siewior cc: Rob Herring Signed-off-by: Jeroen Hofstee --- drivers/usb/gadget/f_fastboot.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c index 9dd85b636e..7a1acb9df0 100644 --- a/drivers/usb/gadget/f_fastboot.c +++ b/drivers/usb/gadget/f_fastboot.c @@ -331,8 +331,11 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req) char *cmd = req->buf; char response[RESPONSE_LEN]; const char *s; + size_t chars_left; strcpy(response, "OKAY"); + chars_left = sizeof(response) - strlen(response) - 1; + strsep(&cmd, ":"); if (!cmd) { fastboot_tx_write_str("FAILmissing var"); @@ -340,18 +343,18 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req) } if (!strcmp_l1("version", cmd)) { - strncat(response, FASTBOOT_VERSION, sizeof(response)); + strncat(response, FASTBOOT_VERSION, chars_left); } else if (!strcmp_l1("bootloader-version", cmd)) { - strncat(response, U_BOOT_VERSION, sizeof(response)); + strncat(response, U_BOOT_VERSION, chars_left); } else if (!strcmp_l1("downloadsize", cmd)) { char str_num[12]; sprintf(str_num, "%08x", CONFIG_USB_FASTBOOT_BUF_SIZE); - strncat(response, str_num, sizeof(response)); + strncat(response, str_num, chars_left); } else if (!strcmp_l1("serialno", cmd)) { s = getenv("serial#"); if (s) - strncat(response, s, sizeof(response)); + strncat(response, s, chars_left); else strcpy(response, "FAILValue not set"); } else { -- 2.25.1