From e3e96797ec020bba955ae59e173044987e5d4806 Mon Sep 17 00:00:00 2001 From: Oleksij Rempel Date: Thu, 18 Jul 2013 16:44:46 +0200 Subject: [PATCH] k2_fw_usb_api: prevent buffer overflow. This was reproduced on intel USB 3.0 controller. After getting corrupt packet we was jumping bejond allocated buffer. Insted of oopsing we can at lest warn hier. Signed-off-by: Oleksij Rempel --- target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c b/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c index b8adbf4..0be8a87 100755 --- a/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c +++ b/target_firmware/magpie_fw_dev/target/hif/k2_fw_usb_api.c @@ -452,6 +452,11 @@ void vUsb_Reg_Out_patch(void) // accumulate the size cmdLen += usbfifolen; + if (cmdLen > buf->desc_list->buf_size) { + A_PRINTF("Data length on EP4 FIFO is bigger as allocated buffer data!" + " Drop it!\n"); + goto ERR; + } // round it to alignment if(usbfifolen % 4) -- 2.25.1