[coreboot-gerrit] New patch to review for coreboot: 06cb2f8 libpayload: avoid memory overflows
Patrick Georgi (pgeorgi@google.com)
gerrit at coreboot.org
Mon Dec 29 20:38:35 CET 2014
Patrick Georgi (pgeorgi at google.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/7977
-gerrit
commit 06cb2f87a0fb4c67c25fd79797f7ac47f8ad79d5
Author: Patrick Georgi <patrick at georgi-clan.de>
Date: Mon Dec 29 20:37:45 2014 +0100
libpayload: avoid memory overflows
With commands typically shorter than the buffer they're
copied to, copy cmdlen bytes, cut off by the buffer limit.
Change-Id: Ia9d2663bd145eff4538084ac1ef8850cfbcea924
Signed-off-by: Patrick Georgi <patrick at georgi-clan.de>
Found-by: Coverity Scan
---
payloads/libpayload/drivers/usb/usbmsc.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/payloads/libpayload/drivers/usb/usbmsc.c b/payloads/libpayload/drivers/usb/usbmsc.c
index 178f982..16f548a 100644
--- a/payloads/libpayload/drivers/usb/usbmsc.c
+++ b/payloads/libpayload/drivers/usb/usbmsc.c
@@ -199,13 +199,18 @@ wrap_cbw (cbw_t *cbw, int datalen, cbw_direction dir, const u8 *cmd,
{
memset (cbw, 0, sizeof (cbw_t));
+ /* commands are typically shorter, but we don't want overflows */
+ if (cmdlen > sizeof(cbw->CBWCB)) {
+ cmdlen = sizeof(cbw->CBWCB);
+ }
+
cbw->dCBWSignature = cbw_signature;
cbw->dCBWTag = ++tag;
cbw->bCBWLUN = lun; // static value per device
cbw->dCBWDataTransferLength = datalen;
cbw->bmCBWFlags = dir;
- memcpy (cbw->CBWCB, cmd, sizeof (cbw->CBWCB));
+ memcpy (cbw->CBWCB, cmd, cmdlen);
cbw->bCBWCBLength = cmdlen;
}
More information about the coreboot-gerrit
mailing list