]> git.baikalelectronics.ru Git - uboot.git/commitdiff
sandbox: usb: Fix out-of-bounds read when fd=-1
authorSean Anderson <seanga2@gmail.com>
Wed, 23 Mar 2022 22:24:38 +0000 (18:24 -0400)
committerSimon Glass <sjg@chromium.org>
Tue, 28 Jun 2022 02:09:51 +0000 (03:09 +0100)
sandbox_flash_bulk uses priv->read_len to determine if priv->buff contains
the response data (such as from SCSI_INQUIRY). However, if priv->fd=-1 in
handle_read, then priv->read_len is not set even though we are going to
PHASE_DATA. This causes sandbox_flash_bulk to try and read len bytes from
priv->buff, which likely goes past the end of the buffer. Fix this by always
setting priv->read_len even if we aren't going to read anything.

Fixes: f4f715360c ("dm: usb: sandbox: Add an emulator for USB flash devices")
Signed-off-by: Sean Anderson <seanga2@gmail.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
drivers/usb/emul/sandbox_flash.c

index cc80f671337974a91bf7da269090ad917350d716..01b2b41cce92ac36a2537f2da6a2059bf304c2c9 100644 (file)
@@ -228,9 +228,9 @@ static void handle_read(struct sandbox_flash_priv *priv, ulong lba,
                        ulong transfer_len)
 {
        debug("%s: lba=%lx, transfer_len=%lx\n", __func__, lba, transfer_len);
+       priv->read_len = transfer_len;
        if (priv->fd != -1) {
                os_lseek(priv->fd, lba * SANDBOX_FLASH_BLOCK_LEN, OS_SEEK_SET);
-               priv->read_len = transfer_len;
                setup_response(priv, priv->buff,
                               transfer_len * SANDBOX_FLASH_BLOCK_LEN);
        } else {
@@ -336,6 +336,9 @@ static int sandbox_flash_bulk(struct udevice *dev, struct usb_device *udev,
                        if (priv->read_len) {
                                ulong bytes_read;
 
+                               if (priv->fd == -1)
+                                       return -EIO;
+
                                bytes_read = os_read(priv->fd, buff, len);
                                if (bytes_read != len)
                                        return -EIO;