Gitiles
Code Review Sign In
review.coreboot.org / coreboot / 3cb56e934f9e52597cb70caea3aa6c84f192d445^! / . / payloads / libpayload / drivers / usb / usbmsc.c
commit3cb56e934f9e52597cb70caea3aa6c84f192d445[log] [tgz]
authorPatrick Georgi <patrick@georgi-clan.de>Mon Dec 29 20:37:45 2014 +0100
committerPatrick Georgi <pgeorgi@google.com>Sat Jan 03 23:58:23 2015 +0100
treee1b6bbc629e153e1613ff1e8e62f6ae8d954fa19
parent8180d1a22f54f2a792c9187d98d15b2501d35aa7 [diff] [blame]
libpayload: avoid memory overflows

With commands typically shorter than the buffer they're
copied to, copy cmdlen bytes, cut off by the buffer limit.

Change-Id: Ia9d2663bd145eff4538084ac1ef8850cfbcea924
Signed-off-by: Patrick Georgi <patrick@georgi-clan.de>
Found-by: Coverity Scan
Reviewed-on: http://review.coreboot.org/7977
Tested-by: build bot (Jenkins)
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
Reviewed-by: Edward O'Callaghan <eocallaghan@alterapraxis.com>

diff --git a/payloads/libpayload/drivers/usb/usbmsc.c b/payloads/libpayload/drivers/usb/usbmsc.c
index 62428b6..ccd693a 100644
--- a/payloads/libpayload/drivers/usb/usbmsc.c
+++ b/payloads/libpayload/drivers/usb/usbmsc.c

@@ -200,6 +200,11 @@
 {
 	memset (cbw, 0, sizeof (cbw_t));
 
+	/* commands are typically shorter, but we don't want overflows */
+	if (cmdlen > sizeof(cbw->CBWCB)) {
+		cmdlen = sizeof(cbw->CBWCB);
+	}
+
 	cbw->dCBWSignature = cbw_signature;
 	cbw->dCBWTag = ++tag;
 	cbw->bCBWLUN = lun;