summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSeung-Woo Kim <sw0312.kim@samsung.com>2018-05-10 10:52:14 +0900
committerMarek Vasut <marex@denx.de>2018-05-18 13:17:30 +0200
commitf9e8dc0abda94869d2734843c1c14ba6f2867031 (patch)
treed64677621fc69e0598c5ccad489ca2e55c5e1529
parent233719cc40b5a00f37949d4173c190edcb4491a1 (diff)
downloadu-boot-f9e8dc0abda94869d2734843c1c14ba6f2867031.tar.gz
u-boot-f9e8dc0abda94869d2734843c1c14ba6f2867031.tar.xz
u-boot-f9e8dc0abda94869d2734843c1c14ba6f2867031.zip
gadget: f_thor: fix filename overflow
The thor sender can send filename without null character and it is used without consideration of overflow. Actually, character array for filename is assigned with DEFINE_CACHE_ALIGN_BUFFER() and it is bigger than size of memcpy, so there was no real overflow. Fix filename overflow for code level integrity. Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
-rw-r--r--drivers/usb/gadget/f_thor.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/drivers/usb/gadget/f_thor.c b/drivers/usb/gadget/f_thor.c
index f874509cf3..6d38cb6d49 100644
--- a/drivers/usb/gadget/f_thor.c
+++ b/drivers/usb/gadget/f_thor.c
@@ -47,7 +47,7 @@ DEFINE_CACHE_ALIGN_BUFFER(unsigned char, thor_rx_data_buf,
/* ********************************************************** */
/* THOR protocol - transmission handling */
/* ********************************************************** */
-DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE);
+DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE + 1);
static unsigned long long int thor_file_size;
static int alt_setting_num;
@@ -276,6 +276,7 @@ static long long int process_rqt_download(const struct rqt_box *rqt)
thor_file_size = rqt->int_data[1];
memcpy(f_name, rqt->str_data[0], F_NAME_BUF_SIZE);
+ f_name[F_NAME_BUF_SIZE] = '\0';
debug("INFO: name(%s, %d), size(%llu), type(%d)\n",
f_name, 0, thor_file_size, file_type);