diff options
author | Venkateswara Rao Mandela <venkat.mandela@ti.com> | 2017-03-08 20:44:34 +0530 |
---|---|---|
committer | Praneeth Bajjuri <praneeth@ti.com> | 2017-07-19 23:25:20 -0500 |
commit | 3c7d22946028ca84019268f884d112dd89116ce1 (patch) | |
tree | 7bf7c463f8db2ee3a0f5db381280678cd2a6c537 | |
parent | abb109459b420c512fbd40f222c2f4688efcc3c5 (diff) | |
download | jacinto6evm-3c7d22946028ca84019268f884d112dd89116ce1.tar.gz |
fastboot: flash: add buffer overflow check for cmd
As the sf flash commands are generated using sprintf, there is
possibilty of buffer overflow between commands. To avoid this issue, we
define a macro for the length of the command buffer and use snprintf to
prevent buffer overflow.
Change-Id: I2ea0a9113067238cdca9d2015c6e8b11602b1b01
Signed-off-by: Venkateswara Rao Mandela <venkat.mandela@ti.com>
-rw-r--r-- | drivers/usb/gadget/f_fastboot.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c index 1c9ecb7ecd..d125d2a1bf 100644 --- a/drivers/usb/gadget/f_fastboot.c +++ b/drivers/usb/gadget/f_fastboot.c @@ -64,7 +64,8 @@ static struct f_fastboot *fastboot_func; static unsigned int fastboot_flash_session_id; static unsigned int download_size; static unsigned int download_bytes; -static char f_cmdbuf[MAX_CMDS][32]; +#define FB_MAX_CMD_LEN (32) +static char f_cmdbuf[MAX_CMDS][FB_MAX_CMD_LEN]; static int flash_spi; static struct usb_endpoint_descriptor fs_ep_in = { @@ -618,16 +619,16 @@ static int fastboot_update_zimage(void); static void fastboot_update_bootloader(char *cmd) { - char cmdbuf[32]; + char cmdbuf[FB_MAX_CMD_LEN]; reset_fastboot_cmd(); if (strncmp("xloader", cmd, 7) == 0) { - sprintf(cmdbuf, "sf write 0x%x 0 40000", - (unsigned int)CONFIG_FASTBOOT_BUF_ADDR); + snprintf(cmdbuf, FB_MAX_CMD_LEN, "sf write 0x%x 0 40000", + (unsigned int)CONFIG_FASTBOOT_BUF_ADDR); add_fastboot_cmd(0, cmdbuf); } else if (strncmp("bootloader", cmd, 10) == 0) { - sprintf(cmdbuf, "sf write 0x%x 40000 100000", - (unsigned int)CONFIG_FASTBOOT_BUF_ADDR); + snprintf(cmdbuf, FB_MAX_CMD_LEN, "sf write 0x%x 40000 100000", + (unsigned int)CONFIG_FASTBOOT_BUF_ADDR); add_fastboot_cmd(0, cmdbuf); } run_fastboot_cmd(); @@ -821,7 +822,7 @@ static void cb_flash(struct usb_ep *ep, struct usb_request *req) static void cb_oem(struct usb_ep *ep, struct usb_request *req) { char *cmd = req->buf; - char cmdbuf[32]; + char cmdbuf[FB_MAX_CMD_LEN]; reset_fastboot_cmd(); |