gadget: f_thor: fix filename overflow

The thor sender can send filename without null character and it is
used without consideration of overflow. Actually, character array
for filename is assigned with DEFINE_CACHE_ALIGN_BUFFER() and it
is bigger than size of memcpy, so there was no real overflow.
Fix filename overflow for code level integrity.

Change-Id: I774e4812b743d6fd99e52feadf84488708bc652c
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>

diff --git a/drivers/usb/gadget/f_thor.c b/drivers/usb/gadget/f_thor.c
index 6fce946f9c57b30137740c3f1cdf86e57741ffb2..a279758169285057e70afc476d2d8e3cffaf9a85 100644 (file)
--- a/drivers/usb/gadget/f_thor.c
+++ b/drivers/usb/gadget/f_thor.c
@@ -53,7 +53,7 @@ DEFINE_CACHE_ALIGN_BUFFER(unsigned char, thor_rx_data_buf,
 /* ********************************************************** */
 /*         THOR protocol - transmission handling             */
 /* ********************************************************** */
-DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE);
+DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE + 1);
 static size_t thor_file_size;
 #ifdef CONFIG_TIZEN
 static unsigned long long int total_file_size;
@@ -298,6 +298,7 @@ static int process_rqt_download(const struct rqt_box *rqt)
 
                thor_file_size = (uint32_t)rqt->int_data[1];
                memcpy(f_name, rqt->str_data[0], F_NAME_BUF_SIZE);
+               f_name[F_NAME_BUF_SIZE] = '\0';
 
                debug("INFO: name(%s, %d), size(%zu), type(%d)\n",
                      f_name, 0, thor_file_size, file_type);