diff options
author | Nicolas Boichat <drinkcat@chromium.org> | 2019-05-15 13:07:35 +0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2019-05-16 09:04:26 -0700 |
commit | f88989e7518b97c83afc93497f97e33d9d4c12f4 (patch) | |
tree | aff241c15d12ee97b0f08f3e90ec5597608804a8 /driver | |
parent | 2c321f4ab89d2ec171f7b3c463893fa5051479fe (diff) | |
download | chrome-ec-f88989e7518b97c83afc93497f97e33d9d4c12f4.tar.gz |
tcpci/usb_pd_fuzz: Avoid using unitialized data in payload
Found with MSAN fuzzer: usb_pd_protocol.c may use payload data
that is not initialized.
Fix the test by copying over the whole payload, which is what
tcpci.c's version does.
Also, in tcpci.c, clear cached_messages head before using
get_message_raw to fill it up, to make sure that we do not
accidentally use older data in the queue.
BRANCH=none
BUG=chromium:963076
TEST=make TEST_MSAN=y host-usb_pd_fuzz -j
MSAN_OPTIONS=log_path=stderr:exitcode=0 \
build/host/usb_pd_fuzz/usb_pd_fuzz.exe \
clusterfuzz-testcase-minimized-ec_usb_pd_fuzzer-5716775969357824
Change-Id: I74c38538440cb5a01d1714657b9e2d63e5b80cea
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1610163
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Diffstat (limited to 'driver')
-rw-r--r-- | driver/tcpm/tcpci.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/driver/tcpm/tcpci.c b/driver/tcpm/tcpci.c index f9e5db929c..46ab6f9e2a 100644 --- a/driver/tcpm/tcpci.c +++ b/driver/tcpm/tcpci.c @@ -451,6 +451,8 @@ int tcpm_enqueue_message(const int port) return EC_ERROR_OVERFLOW; } + /* Blank any old message, just in case. */ + memset(head, 0, sizeof(*head)); /* Call the raw driver without caching */ rv = tcpc_config[port].drv->get_message_raw(port, head->payload, &head->header); |