[coreboot-gerrit] New patch to review for coreboot: 06cb2f8 libpayload: avoid memory overflows

[Patrick Georgi (pgeorgi@google.com)]

Patrick Georgi (pgeorgi at google.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/7977

-gerrit

commit 06cb2f87a0fb4c67c25fd79797f7ac47f8ad79d5
Author: Patrick Georgi <patrick at georgi-clan.de>
Date:   Mon Dec 29 20:37:45 2014 +0100

    libpayload: avoid memory overflows
    
    With commands typically shorter than the buffer they're
    copied to, copy cmdlen bytes, cut off by the buffer limit.
    
    Change-Id: Ia9d2663bd145eff4538084ac1ef8850cfbcea924
    Signed-off-by: Patrick Georgi <patrick at georgi-clan.de>
    Found-by: Coverity Scan
---
 payloads/libpayload/drivers/usb/usbmsc.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/payloads/libpayload/drivers/usb/usbmsc.c b/payloads/libpayload/drivers/usb/usbmsc.c
index 178f982..16f548a 100644
--- a/payloads/libpayload/drivers/usb/usbmsc.c
+++ b/payloads/libpayload/drivers/usb/usbmsc.c
@@ -199,13 +199,18 @@ wrap_cbw (cbw_t *cbw, int datalen, cbw_direction dir, const u8 *cmd,
 {
 	memset (cbw, 0, sizeof (cbw_t));
 
+	/* commands are typically shorter, but we don't want overflows */
+	if (cmdlen > sizeof(cbw->CBWCB)) {
+		cmdlen = sizeof(cbw->CBWCB);
+	}
+
 	cbw->dCBWSignature = cbw_signature;
 	cbw->dCBWTag = ++tag;
 	cbw->bCBWLUN = lun;	// static value per device
 
 	cbw->dCBWDataTransferLength = datalen;
 	cbw->bmCBWFlags = dir;
-	memcpy (cbw->CBWCB, cmd, sizeof (cbw->CBWCB));
+	memcpy (cbw->CBWCB, cmd, cmdlen);
 	cbw->bCBWCBLength = cmdlen;
 }