summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Boichat <drinkcat@chromium.org>2018-06-23 09:31:54 +0800
committerchrome-bot <chrome-bot@chromium.org>2018-06-27 22:07:47 -0700
commitf8d042c8212c8186f07ef913395d29871db68f38 (patch)
treec34127c40c3c4c042761756940f6e8eea0896d2e
parent2d94ff98bb34021560f7a04df09cacadee55fccf (diff)
downloadchrome-ec-f8d042c8212c8186f07ef913395d29871db68f38.tar.gz
host_command: read_test/memmap: Fix response buffer overflow
host_command_read_test/memmap expect to have at least 128 bytes available in response buffer, _after_ ec_host_response header. However, in the fuzzing test, we only use a 128 bytes response buffer, and set response_max to 128, correctly. host_packet_receive correctly computes the response payload size (i.e. 120 bytes): args0.response_max = pkt->response_max - sizeof(struct ec_host_response); But then host_command_read_test/memmap ignore response_max, and overflows that response buffer. BRANCH=none BUG=chromium:855972 TEST=make buildfuzztests -j echo AwMAAAMLxv0AgA== | base64 -d > crash ASAN_OPTIONS="log_path=stderr" \ build/host/host_command_fuzz/host_command_fuzz.exe ./crash echo AwcAAAAAeg== | base64 -d > crash Call fuzzer again. Change-Id: I1344842764a07f09546f3b0533b3ce154eff2732 Signed-off-by: Nicolas Boichat <drinkcat@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/1116200 Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
-rw-r--r--common/host_command.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/common/host_command.c b/common/host_command.c
index f80f43a4c5..a2aab15a31 100644
--- a/common/host_command.c
+++ b/common/host_command.c
@@ -506,7 +506,7 @@ static int host_command_read_test(struct host_cmd_handler_args *args)
int size = p->size / sizeof(uint32_t);
int i;
- if (size > ARRAY_SIZE(r->data))
+ if (size > ARRAY_SIZE(r->data) || p->size > args->response_size)
return EC_RES_ERROR;
for (i = 0; i < size; i++)
@@ -534,7 +534,7 @@ static int host_command_read_memmap(struct host_cmd_handler_args *args)
uint8_t size = p->size;
if (size > EC_MEMMAP_SIZE || offset > EC_MEMMAP_SIZE ||
- offset + size > EC_MEMMAP_SIZE)
+ offset + size > EC_MEMMAP_SIZE || size > args->response_size)
return EC_RES_INVALID_PARAM;
/* Make sure switch data is initialized */