diff options
author | Nicolas Boichat <drinkcat@chromium.org> | 2018-06-21 08:38:09 +0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-06-21 08:14:25 -0700 |
commit | 5d34998aeb78534ae7659778788cf6d2aec3d742 (patch) | |
tree | 09acca2728550a487c2c7a378b63c458d37346f2 /test | |
parent | e2d6f3833127d478d15ac36e2336a92b1863d65f (diff) | |
download | chrome-ec-5d34998aeb78534ae7659778788cf6d2aec3d742.tar.gz |
test/host_command: Do not overflow req_buf
The test attempts to access req_buf outside of its bounds during
test_hostcmd_too_long, let's increase the buffer size.
BRANCH=none
BUG=chromium:854924
TEST=make V=1 TEST_ASAN=y run-host_command -j
Change-Id: Ibacc080c9e961ad4eb56c17908e704796404a9ca
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1109614
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Diffstat (limited to 'test')
-rw-r--r-- | test/host_command.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/test/host_command.c b/test/host_command.c index a98ee87ef6..2385e40ee8 100644 --- a/test/host_command.c +++ b/test/host_command.c @@ -13,9 +13,12 @@ #include "timer.h" #include "util.h" +/* Request/response buffer size (and maximum command length) */ +#define BUFFER_SIZE 128 + struct host_packet pkt; -static char resp_buf[128]; -static char req_buf[128]; +static char resp_buf[BUFFER_SIZE]; +static char req_buf[BUFFER_SIZE + 4]; struct ec_host_request *req = (struct ec_host_request *)req_buf; struct ec_params_hello *p = (struct ec_params_hello *)(req_buf + sizeof(*req)); struct ec_host_response *resp = (struct ec_host_response *)resp_buf; @@ -58,10 +61,10 @@ static void hostcmd_fill_in_default(void) pkt.request_size = 0; pkt.send_response = hostcmd_respond; pkt.request = (const void *)req_buf; - pkt.request_max = 128; + pkt.request_max = BUFFER_SIZE; pkt.request_size = sizeof(*req) + sizeof(*p); pkt.response = (void *)resp_buf; - pkt.response_max = 128; + pkt.response_max = BUFFER_SIZE; pkt.driver_result = 0; } @@ -101,7 +104,7 @@ static int test_hostcmd_too_long(void) hostcmd_fill_in_default(); /* Larger than request buffer */ - pkt.request_size = sizeof(req_buf) + 4; + pkt.request_size = BUFFER_SIZE + 4; hostcmd_send(); TEST_ASSERT(resp->result == EC_RES_REQUEST_TRUNCATED); |