Patrick Georgi (pgeorgi@google.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/7977
-gerrit
commit 06cb2f87a0fb4c67c25fd79797f7ac47f8ad79d5 Author: Patrick Georgi patrick@georgi-clan.de Date: Mon Dec 29 20:37:45 2014 +0100
libpayload: avoid memory overflows
With commands typically shorter than the buffer they're copied to, copy cmdlen bytes, cut off by the buffer limit.
Change-Id: Ia9d2663bd145eff4538084ac1ef8850cfbcea924 Signed-off-by: Patrick Georgi patrick@georgi-clan.de Found-by: Coverity Scan --- payloads/libpayload/drivers/usb/usbmsc.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/payloads/libpayload/drivers/usb/usbmsc.c b/payloads/libpayload/drivers/usb/usbmsc.c index 178f982..16f548a 100644 --- a/payloads/libpayload/drivers/usb/usbmsc.c +++ b/payloads/libpayload/drivers/usb/usbmsc.c @@ -199,13 +199,18 @@ wrap_cbw (cbw_t *cbw, int datalen, cbw_direction dir, const u8 *cmd, { memset (cbw, 0, sizeof (cbw_t));
+ /* commands are typically shorter, but we don't want overflows */ + if (cmdlen > sizeof(cbw->CBWCB)) { + cmdlen = sizeof(cbw->CBWCB); + } + cbw->dCBWSignature = cbw_signature; cbw->dCBWTag = ++tag; cbw->bCBWLUN = lun; // static value per device
cbw->dCBWDataTransferLength = datalen; cbw->bmCBWFlags = dir; - memcpy (cbw->CBWCB, cmd, sizeof (cbw->CBWCB)); + memcpy (cbw->CBWCB, cmd, cmdlen); cbw->bCBWCBLength = cmdlen; }
-
Patrick Georgi