host_command: read_test/memmap: Fix response buffer overflow

host_command_read_test/memmap expect to have at least 128 bytes
available in response buffer, _after_ ec_host_response header.

However, in the fuzzing test, we only use a 128 bytes response
buffer, and set response_max to 128, correctly.

host_packet_receive correctly computes the response payload
size (i.e. 120 bytes):
args0.response_max = pkt->response_max - sizeof(struct ec_host_response);

But then host_command_read_test/memmap ignore response_max, and
overflows that response buffer.

BRANCH=none
BUG=chromium:855972
TEST=make buildfuzztests -j
  echo AwMAAAMLxv0AgA== | base64 -d > crash
  ASAN_OPTIONS="log_path=stderr" \
    build/host/host_command_fuzz/host_command_fuzz.exe ./crash
  echo AwcAAAAAeg== | base64 -d > crash
  Call fuzzer again.

Change-Id: I1344842764a07f09546f3b0533b3ce154eff2732
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1116200
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>

1 files changed, 2 insertions, 2 deletions

diff --git a/common/host_command.c b/common/host_command.c
index f80f43a4c5..a2aab15a31 100644
--- a/common/host_command.c
+++ b/common/host_command.c
@@ -506,7 +506,7 @@ static int host_command_read_test(struct host_cmd_handler_args *args)
 	int size = p->size / sizeof(uint32_t);
 	int i;
 
-	if (size > ARRAY_SIZE(r->data))
+	if (size > ARRAY_SIZE(r->data) || p->size > args->response_size)
 		return EC_RES_ERROR;
 
 	for (i = 0; i < size; i++)
@@ -534,7 +534,7 @@ static int host_command_read_memmap(struct host_cmd_handler_args *args)
 	uint8_t size = p->size;
 
 	if (size > EC_MEMMAP_SIZE || offset > EC_MEMMAP_SIZE ||
-	    offset + size > EC_MEMMAP_SIZE)
+	    offset + size > EC_MEMMAP_SIZE || size > args->response_size)
 		return EC_RES_INVALID_PARAM;
 
 	/* Make sure switch data is initialized */