From: Andrew Scull <ascull@google.com>
Date: Sun, 3 Apr 2022 10:39:12 +0000 (+0000)
Subject: usb: sandbox: Bounds check read from buffer
X-Git-Tag: v2025.01-rc5-pxa1908~1427^2~3
X-Git-Url: http://git.dujemihanovic.xyz/img/static/html/%7B%7B%20%24style.RelPermalink%20%7D%7D?a=commitdiff_plain;h=beb341ae7f43a4424ca321315a25fe9133030de2;p=u-boot.git

usb: sandbox: Bounds check read from buffer

The buffer is 512 bytes but read requests can be 800 bytes. Limit the
request to the size of the buffer.

Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>
---

diff --git a/drivers/usb/emul/sandbox_flash.c b/drivers/usb/emul/sandbox_flash.c
index edabc1b3a7..cc80f67133 100644
--- a/drivers/usb/emul/sandbox_flash.c
+++ b/drivers/usb/emul/sandbox_flash.c
@@ -345,6 +345,8 @@ static int sandbox_flash_bulk(struct udevice *dev, struct usb_device *udev,
 			} else {
 				if (priv->alloc_len && len > priv->alloc_len)
 					len = priv->alloc_len;
+				if (len > sizeof(priv->buff))
+					len = sizeof(priv->buff);
 				memcpy(buff, priv->buff, len);
 				priv->phase = PHASE_STATUS;
 			}