From: Jeroen Hofstee Date: Fri, 13 Jun 2014 22:57:14 +0000 (+0200) Subject: usb: fastboot: fix potential buffer overflow X-Git-Tag: v2014.07-rc4~11 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=29425be49bf301b55807dd27f55678e6d0a81060;p=u-boot usb: fastboot: fix potential buffer overflow cb_getvar tries to prevent overflowing the response buffer by using strncat. But strncat takes the number of data bytes copied as a limit not the total buffer length so it can still overflow. Pass the correct value instead. cc: Sebastian Andrzej Siewior cc: Rob Herring Signed-off-by: Jeroen Hofstee --- diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c index 9dd85b636e..7a1acb9df0 100644 --- a/drivers/usb/gadget/f_fastboot.c +++ b/drivers/usb/gadget/f_fastboot.c @@ -331,8 +331,11 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req) char *cmd = req->buf; char response[RESPONSE_LEN]; const char *s; + size_t chars_left; strcpy(response, "OKAY"); + chars_left = sizeof(response) - strlen(response) - 1; + strsep(&cmd, ":"); if (!cmd) { fastboot_tx_write_str("FAILmissing var"); @@ -340,18 +343,18 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req) } if (!strcmp_l1("version", cmd)) { - strncat(response, FASTBOOT_VERSION, sizeof(response)); + strncat(response, FASTBOOT_VERSION, chars_left); } else if (!strcmp_l1("bootloader-version", cmd)) { - strncat(response, U_BOOT_VERSION, sizeof(response)); + strncat(response, U_BOOT_VERSION, chars_left); } else if (!strcmp_l1("downloadsize", cmd)) { char str_num[12]; sprintf(str_num, "%08x", CONFIG_USB_FASTBOOT_BUF_SIZE); - strncat(response, str_num, sizeof(response)); + strncat(response, str_num, chars_left); } else if (!strcmp_l1("serialno", cmd)) { s = getenv("serial#"); if (s) - strncat(response, s, sizeof(response)); + strncat(response, s, chars_left); else strcpy(response, "FAILValue not set"); } else {