summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPatrick Georgi <patrick@georgi-clan.de>2014-12-29 20:37:45 +0100
committerPatrick Georgi <pgeorgi@google.com>2015-01-03 23:58:23 +0100
commit3cb56e934f9e52597cb70caea3aa6c84f192d445 (patch)
treee1b6bbc629e153e1613ff1e8e62f6ae8d954fa19
parent8180d1a22f54f2a792c9187d98d15b2501d35aa7 (diff)
downloadcoreboot-3cb56e934f9e52597cb70caea3aa6c84f192d445.tar.xz
libpayload: avoid memory overflows
With commands typically shorter than the buffer they're copied to, copy cmdlen bytes, cut off by the buffer limit. Change-Id: Ia9d2663bd145eff4538084ac1ef8850cfbcea924 Signed-off-by: Patrick Georgi <patrick@georgi-clan.de> Found-by: Coverity Scan Reviewed-on: http://review.coreboot.org/7977 Tested-by: build bot (Jenkins) Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net> Reviewed-by: Edward O'Callaghan <eocallaghan@alterapraxis.com>
-rw-r--r--payloads/libpayload/drivers/usb/usbmsc.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/payloads/libpayload/drivers/usb/usbmsc.c b/payloads/libpayload/drivers/usb/usbmsc.c
index 62428b6ebe..ccd693a84d 100644
--- a/payloads/libpayload/drivers/usb/usbmsc.c
+++ b/payloads/libpayload/drivers/usb/usbmsc.c
@@ -200,6 +200,11 @@ wrap_cbw (cbw_t *cbw, int datalen, cbw_direction dir, const u8 *cmd,
{
memset (cbw, 0, sizeof (cbw_t));
+ /* commands are typically shorter, but we don't want overflows */
+ if (cmdlen > sizeof(cbw->CBWCB)) {
+ cmdlen = sizeof(cbw->CBWCB);
+ }
+
cbw->dCBWSignature = cbw_signature;
cbw->dCBWTag = ++tag;
cbw->bCBWLUN = lun;