From: Seung-Woo Kim Date: Wed, 9 May 2018 07:14:00 +0000 (+0900) Subject: gadget: f_thor: fix filename overflow X-Git-Tag: submit/tizen/20180904.010142~8 X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=refs%2Fchanges%2F98%2F178298%2F4;p=platform%2Fkernel%2Fu-boot.git gadget: f_thor: fix filename overflow The thor sender can send filename without null character and it is used without consideration of overflow. Actually, character array for filename is assigned with DEFINE_CACHE_ALIGN_BUFFER() and it is bigger than size of memcpy, so there was no real overflow. Fix filename overflow for code level integrity. Change-Id: I774e4812b743d6fd99e52feadf84488708bc652c Signed-off-by: Seung-Woo Kim --- diff --git a/drivers/usb/gadget/f_thor.c b/drivers/usb/gadget/f_thor.c index 6fce946f9c..a279758169 100644 --- a/drivers/usb/gadget/f_thor.c +++ b/drivers/usb/gadget/f_thor.c @@ -53,7 +53,7 @@ DEFINE_CACHE_ALIGN_BUFFER(unsigned char, thor_rx_data_buf, /* ********************************************************** */ /* THOR protocol - transmission handling */ /* ********************************************************** */ -DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE); +DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE + 1); static size_t thor_file_size; #ifdef CONFIG_TIZEN static unsigned long long int total_file_size; @@ -298,6 +298,7 @@ static int process_rqt_download(const struct rqt_box *rqt) thor_file_size = (uint32_t)rqt->int_data[1]; memcpy(f_name, rqt->str_data[0], F_NAME_BUF_SIZE); + f_name[F_NAME_BUF_SIZE] = '\0'; debug("INFO: name(%s, %d), size(%zu), type(%d)\n", f_name, 0, thor_file_size, file_type);