From 1115f88eff8329295f7a3f4021079c2b6e4c9606 Mon Sep 17 00:00:00 2001 From: Seung-Woo Kim Date: Wed, 9 May 2018 16:14:00 +0900 Subject: [PATCH] gadget: f_thor: fix filename overflow The thor sender can send filename without null character and it is used without consideration of overflow. Actually, character array for filename is assigned with DEFINE_CACHE_ALIGN_BUFFER() and it is bigger than size of memcpy, so there was no real overflow. Fix filename overflow for code level integrity. Change-Id: I774e4812b743d6fd99e52feadf84488708bc652c Signed-off-by: Seung-Woo Kim --- drivers/usb/gadget/f_thor.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/drivers/usb/gadget/f_thor.c b/drivers/usb/gadget/f_thor.c index 6fce946f9c..a279758169 100644 --- a/drivers/usb/gadget/f_thor.c +++ b/drivers/usb/gadget/f_thor.c @@ -53,7 +53,7 @@ DEFINE_CACHE_ALIGN_BUFFER(unsigned char, thor_rx_data_buf, /* ********************************************************** */ /* THOR protocol - transmission handling */ /* ********************************************************** */ -DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE); +DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE + 1); static size_t thor_file_size; #ifdef CONFIG_TIZEN static unsigned long long int total_file_size; @@ -298,6 +298,7 @@ static int process_rqt_download(const struct rqt_box *rqt) thor_file_size = (uint32_t)rqt->int_data[1]; memcpy(f_name, rqt->str_data[0], F_NAME_BUF_SIZE); + f_name[F_NAME_BUF_SIZE] = '\0'; debug("INFO: name(%s, %d), size(%zu), type(%d)\n", f_name, 0, thor_file_size, file_type); -- 2.34.1