usb: sandbox: Bounds check read from buffer
authorAndrew Scull <ascull@google.com>
Sun, 3 Apr 2022 10:39:12 +0000 (10:39 +0000)
committerTom Rini <trini@konsulko.com>
Fri, 29 Apr 2022 15:11:36 +0000 (11:11 -0400)
The buffer is 512 bytes but read requests can be 800 bytes. Limit the
request to the size of the buffer.

Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
drivers/usb/emul/sandbox_flash.c

index edabc1b3a7ad25bbfa218138aefa2d9f48414ef2..cc80f671337974a91bf7da269090ad917350d716 100644 (file)
@@ -345,6 +345,8 @@ static int sandbox_flash_bulk(struct udevice *dev, struct usb_device *udev,
                        } else {
                                if (priv->alloc_len && len > priv->alloc_len)
                                        len = priv->alloc_len;
+                               if (len > sizeof(priv->buff))
+                                       len = sizeof(priv->buff);
                                memcpy(buff, priv->buff, len);
                                priv->phase = PHASE_STATUS;
                        }