diff options
author | Daisuke Nojiri <dnojiri@chromium.org> | 2020-08-26 12:25:40 -0700 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2020-08-27 01:03:12 +0000 |
commit | 9de8df970c9b04947c2a65cc8c45a4b4a894085d (patch) | |
tree | 2f1b2772a8b2d33528a40438e311c6a8faee33bc | |
parent | 5b647f412436dc60bb8523c11cd2ff107890b9f6 (diff) | |
download | chrome-ec-9de8df970c9b04947c2a65cc8c45a4b4a894085d.tar.gz |
CBI: Validate data size of input from host
Currently, the size of input data is not verified. This can cause
read overflow in cbi_set_data.
This patch makes the host command handler validate the input data
size.
BUG=chromium:1114458
BRANCH=none
TEST=cros_fuzz --board=amd64-generic reproduce \
--fuzzer ec_host_command_fuzzer \
--testcase ...ec_host_command_fuzzer-5111452783935488 \
--package chromeos-ec --build-type asan
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Change-Id: Ia3e03cd6bb857e0fa594de9d8cc66d8788d6dcd8
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/2378203
Reviewed-by: Jett Rink <jettrink@chromium.org>
-rw-r--r-- | common/cbi.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/common/cbi.c b/common/cbi.c index e30e35aad3..c6fa213807 100644 --- a/common/cbi.c +++ b/common/cbi.c @@ -391,6 +391,10 @@ static enum ec_status hc_cbi_set(struct host_cmd_handler_args *args) return EC_RES_ERROR; } + /* Given data size exceeds the packet size. */ + if (args->params_size < sizeof(*p) + p->size) + return EC_RES_INVALID_PARAM; + if (cbi_set_board_info(p->tag, p->data, p->size)) return EC_RES_INVALID_PARAM; |