From patchwork Tue Sep 30 19:05:42 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Nelson X-Patchwork-Id: 395073 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from theia.denx.de (theia.denx.de [85.214.87.163]) by ozlabs.org (Postfix) with ESMTP id 9414214013A for ; Wed, 1 Oct 2014 05:06:33 +1000 (EST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id DC7AAA7404; Tue, 30 Sep 2014 21:06:19 +0200 (CEST) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etsi8z0hwLrW; Tue, 30 Sep 2014 21:06:19 +0200 (CEST) Received: from theia.denx.de (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id E15E0A73E9; Tue, 30 Sep 2014 21:06:13 +0200 (CEST) Received: from localhost (localhost [127.0.0.1]) by theia.denx.de (Postfix) with ESMTP id 1D9644B604 for ; Tue, 30 Sep 2014 21:06:08 +0200 (CEST) Received: from theia.denx.de ([127.0.0.1]) by localhost (theia.denx.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a5ZOGRZiixeT for ; Tue, 30 Sep 2014 21:06:08 +0200 (CEST) X-policyd-weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_SPAMCOP=-1.5 NOT_IN_BL_NJABL=-1.5 (only DNSBL check requested) Received: from mail-pd0-f178.google.com (mail-pd0-f178.google.com [209.85.192.178]) by theia.denx.de (Postfix) with ESMTPS id 3F977AB56A for ; Tue, 30 Sep 2014 21:06:02 +0200 (CEST) Received: by mail-pd0-f178.google.com with SMTP id y10so4992895pdj.23 for ; Tue, 30 Sep 2014 12:06:00 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=FlcISRZdb9IznSuQfBSmywGvpLMWswXEIlTwPSSoM7M=; b=GjxgakzDwIHPhE4htSAv7h0pVs1LJgqa4Ed+ke4uPPB8W5btJ0H0zPfveEkYPHJZdZ xz6H7kp+R7Hb6qeP4//xvoOQ12k8JFsXCiUcd8ibf4t7oZGXDZemKmqMNAA+EmNHGHFQ gKAmp2FNglWqPtc389Sg7ZJXrt2kCwV3oY500PvkqE8JhDUXbx1ZL5UZpKQqPKY8UE29 tFEl9/wbvKX9N4YUigyKaj07+oQ24im/Mv+bFs1ND4CPft+k7u9Ic9oKEhKTcvMOZMZy +hZ3vHTLR3tYV4vSWKeHiOW29rM5vD9dq3k2mitCPAulxzBDbqj5SKurf6OE2wseOc+s 2fPw== X-Gm-Message-State: ALoCoQm70Zha5UGm4HyY/uCy2tppOIjEn9oG05W699nxlWmOryRYDOfgrOFTVQNc39BmaockVib2 X-Received: by 10.68.103.4 with SMTP id fs4mr72748670pbb.58.1412103960594; Tue, 30 Sep 2014 12:06:00 -0700 (PDT) Received: from localhost.localdomain (97-117-169-114.phnx.qwest.net. [97.117.169.114]) by mx.google.com with ESMTPSA id nj3sm15860726pdb.70.2014.09.30.12.05.57 for (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 30 Sep 2014 12:05:59 -0700 (PDT) From: Eric Nelson To: u-boot@lists.denx.de Date: Tue, 30 Sep 2014 12:05:42 -0700 Message-Id: <1412103942-28331-4-git-send-email-eric.nelson@boundarydevices.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1412103942-28331-1-git-send-email-eric.nelson@boundarydevices.com> References: <1412103942-28331-1-git-send-email-eric.nelson@boundarydevices.com> Cc: marex@denx.de, srae@broadcom.com, jeroen@myspectrum.nl Subject: [U-Boot] [PATCH 3/3] usb: gadget: fastboot: terminate commands with NULL X-BeenThere: u-boot@lists.denx.de X-Mailman-Version: 2.1.13 Precedence: list List-Id: U-Boot discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: u-boot-bounces@lists.denx.de Errors-To: u-boot-bounces@lists.denx.de Without NULL termination, various commands will read past the end of input. In particular, this was noticed with error() calls in cb_getvar and simple_strtoul() in cb_download. Since the download callback happens elsewhere, the 4k buffer should always be sufficient to handle command arguments. Signed-off-by: Eric Nelson Tested-by: Steve Rae --- drivers/usb/gadget/f_fastboot.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c index 86700f5..0950ea8 100644 --- a/drivers/usb/gadget/f_fastboot.c +++ b/drivers/usb/gadget/f_fastboot.c @@ -542,6 +542,13 @@ static void rx_handler_command(struct usb_ep *ep, struct usb_request *req) error("unknown command: %s\n", cmdbuf); fastboot_tx_write_str("FAILunknown command"); } else { + if (req->actual < req->length) { + u8 *buf = (u8 *)req->buf; + buf[req->actual] = 0; + func_cb(ep, req); + } else { + error("buffer overflow\n"); + } func_cb(ep, req); }