usb: fastboot: fix potential buffer overflow

cb_getvar tries to prevent overflowing the response buffer
by using strncat. But strncat takes the number of data bytes
copied as a limit not the total buffer length so it can still
overflow. Pass the correct value instead.

cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
cc: Rob Herring <robh@kernel.org>
Signed-off-by: Jeroen Hofstee <jeroen@myspectrum.nl>
This commit is contained in:
Jeroen Hofstee 2014-06-14 00:57:14 +02:00 committed by Marek Vasut
parent 25d1936a19
commit 29425be49b

View File

@ -331,8 +331,11 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req)
char *cmd = req->buf;
char response[RESPONSE_LEN];
const char *s;
size_t chars_left;
strcpy(response, "OKAY");
chars_left = sizeof(response) - strlen(response) - 1;
strsep(&cmd, ":");
if (!cmd) {
fastboot_tx_write_str("FAILmissing var");
@ -340,18 +343,18 @@ static void cb_getvar(struct usb_ep *ep, struct usb_request *req)
}
if (!strcmp_l1("version", cmd)) {
strncat(response, FASTBOOT_VERSION, sizeof(response));
strncat(response, FASTBOOT_VERSION, chars_left);
} else if (!strcmp_l1("bootloader-version", cmd)) {
strncat(response, U_BOOT_VERSION, sizeof(response));
strncat(response, U_BOOT_VERSION, chars_left);
} else if (!strcmp_l1("downloadsize", cmd)) {
char str_num[12];
sprintf(str_num, "%08x", CONFIG_USB_FASTBOOT_BUF_SIZE);
strncat(response, str_num, sizeof(response));
strncat(response, str_num, chars_left);
} else if (!strcmp_l1("serialno", cmd)) {
s = getenv("serial#");
if (s)
strncat(response, s, sizeof(response));
strncat(response, s, chars_left);
else
strcpy(response, "FAILValue not set");
} else {