From patchwork Tue Dec 8 03:26:35 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tom Rini X-Patchwork-Id: 553691 X-Patchwork-Delegate: sjg@chromium.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 6951B1402C4 for ; Tue, 8 Dec 2015 14:26:49 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 5AF854B6DF; Tue, 8 Dec 2015 04:26:42 +0100 (CET) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aoKLVpxOL4Or; Tue, 8 Dec 2015 04:26:42 +0100 (CET) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id E010F4B6E6; Tue, 8 Dec 2015 04:26:40 +0100 (CET) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 794114B67D for ; Tue, 8 Dec 2015 04:26:25 +0100 (CET) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YBcbITo-qPxd for ; Tue, 8 Dec 2015 04:26:25 +0100 (CET) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from mail-qg0-f43.google.com (mail-qg0-f43.google.com [209.85.192.43]) by theia.denx.de (Postfix) with ESMTPS id 148E04B67C for ; Tue, 8 Dec 2015 04:26:20 +0100 (CET) Received: by qgea14 with SMTP id a14so6430726qge.0 for ; Mon, 07 Dec 2015 19:26:19 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Lx9REO2xg0CC1cth/viXdIqH2WCQMJxQrKGcua8iqew=; b=Pw0oCLnJOa0WxWEdmyavA8smkneB5qdtx0NdetvMEZEq/PMF4L64gU1bx3RbOTc6Z1 nQjM9kJJSrUd8PdYP3XgY+//oPA6ufOdHbFmKYsfAN6EJCGvfAdgkBljnd4aKG/7F+BD CKwEsmGX4J8dEcBZluwtgRAAygUYfqJt2WodgjVNm3XqRlvm0pFfBsSFbylPR+sznqzg YleiWipHOBHlmSTDo7log2Pnqfypt1brDUgSXevrD2pfXyi/qx/3xwsFrGzL/1krxGCk tsqwdArGACZNecm4ksE7zOJYDkBw0rshiKN0q2oIFQ+/TosziU6IeHlASdgMzzkXLUiT vpYA== X-Received: by 10.140.101.51 with SMTP id t48mr1642297qge.71.1449545179546; Mon, 07 Dec 2015 19:26:19 -0800 (PST) Received: from localhost.localdomain (cpe-75-180-230-22.ec.res.rr.com. [75.180.230.22]) by smtp.gmail.com with ESMTPSA id p4sm604343qhp.45.2015.12.07.19.26.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 Dec 2015 19:26:18 -0800 (PST) From: Tom Rini To: u-boot@lists.denx.de Date: Mon, 7 Dec 2015 22:26:35 -0500 Message-Id: <1449545195-18195-3-git-send-email-trini@konsulko.com> X-Mailer: git-send-email 1.7.9.5 In-Reply-To: <1449545195-18195-1-git-send-email-trini@konsulko.com> References: <1449545195-18195-1-git-send-email-trini@konsulko.com> Subject: [U-Boot] [PATCH 3/3] sandbox: sandbox_flash.c: Ensure NUL-termination on product/vendor strings X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.15 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: u-boot-bounces@lists.denx.de Sender: "U-Boot" Coverity notes that we do not ensure when we copy in the product/vendor strings that they have NULL termination. In this case the answer is to increase the buffer we have and then set the last entry to NULL. Reported-by: Coverity (CID 131095) Cc: Simon Glass Signed-off-by: Tom Rini --- drivers/usb/emul/sandbox_flash.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/usb/emul/sandbox_flash.c b/drivers/usb/emul/sandbox_flash.c index 0965ad0..2811f52 100644 --- a/drivers/usb/emul/sandbox_flash.c +++ b/drivers/usb/emul/sandbox_flash.c @@ -79,8 +79,8 @@ struct scsi_inquiry_resp { u8 data_format; u8 additional_len; u8 spare[3]; - char vendor[8]; - char product[16]; + char vendor[9]; /* 8 + NUL-termination */ + char product[17]; /* 16 + NUL-termination */ char revision[4]; }; @@ -260,6 +260,8 @@ static int handle_ufi_command(struct sandbox_flash_plat *plat, strncpy(resp->product, plat->flash_strings[STRINGID_PRODUCT - 1].s, sizeof(resp->product)); + resp->vendor[8] = 0; + resp->product[16] = 0; strncpy(resp->revision, "1.0", sizeof(resp->revision)); setup_response(priv, resp, sizeof(*resp)); break;