Without NULL termination, various commands will read past the
end of input. In particular, this was noticed with error()
calls in cb_getvar and simple_strtoul() in cb_download.
Since the download callback happens elsewhere, the 4k buffer
should always be sufficient to handle command arguments.
Signed-off-by: Eric Nelson <eric.nel...@boundarydevices.com>
---
V2 adds response to host in the event of failure and removes
double call-back via func_cb as pointed out by Steve Rae.
drivers/usb/gadget/f_fastboot.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c
index 86700f5..0c91d3c 100644
--- a/drivers/usb/gadget/f_fastboot.c
+++ b/drivers/usb/gadget/f_fastboot.c
@@ -542,7 +542,14 @@ static void rx_handler_command(struct usb_ep *ep, struct
usb_request *req)
error("unknown command: %s\n", cmdbuf);
fastboot_tx_write_str("FAILunknown command");
} else {
- func_cb(ep, req);
+ if (req->actual < req->length) {
+ u8 *buf = (u8 *)req->buf;
+ buf[req->actual] = 0;
+ func_cb(ep, req);
+ } else {
+ error("buffer overflow\n");
+ fastboot_tx_write_str("FAILbuffer overflow");
+ }
}
if (req->status == 0) {
--
1.9.1
_______________________________________________
U-Boot mailing list
U-Boot@lists.denx.de
http://lists.denx.de/mailman/listinfo/u-boot
