gadget: f_thor: fix filename overflow

The thor sender can send filename without null character and it is used without consideration of overflow. Actually, character array for filename is assigned with DEFINE_CACHE_ALIGN_BUFFER() and it is bigger than size of memcpy, so there was no real overflow. Fix filename overflow for code level integrity. Signed-off-by: N Seung-Woo Kim <sw0312.kim@samsung.com>

gadget: f_thor: fix filename overflow
The thor sender can send filename without null character and it is used without consideration of overflow. Actually, character array for filename is assigned with DEFINE_CACHE_ALIGN_BUFFER() and it is bigger than size of memcpy, so there was no real overflow. Fix filename overflow for code level integrity. Signed-off-by: N Seung-Woo Kim <sw0312.kim@samsung.com>
f9e8dc0a · Seung-Woo Kim · Marek Vasut · 233719cc · f9e8dc0a
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

drivers/usb/gadget/f_thor.c drivers/usb/gadget/f_thor.c +2 -1

未找到文件。
--- a/drivers/usb/gadget/f_thor.c
+++ b/drivers/usb/gadget/f_thor.c
@@ -47,7 +47,7 @@ DEFINE_CACHE_ALIGN_BUFFER(unsigned char, thor_rx_data_buf,
 /* ********************************************************** */
 /*         THOR protocol - transmission handling	      */
 /* ********************************************************** */
-DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE);
+DEFINE_CACHE_ALIGN_BUFFER(char, f_name, F_NAME_BUF_SIZE + 1);
 static unsigned long long int thor_file_size;
 static int alt_setting_num;

@@ -276,6 +276,7 @@ static long long int process_rqt_download(const struct rqt_box *rqt)

 		thor_file_size = rqt->int_data[1];
 		memcpy(f_name, rqt->str_data[0], F_NAME_BUF_SIZE);
+		f_name[F_NAME_BUF_SIZE] = '\0';

 		debug("INFO: name(%s, %d), size(%llu), type(%d)\n",
 		      f_name, 0, thor_file_size, file_type);