host_command: Fix response_size to match data that was copied

Both host_command_read_test and host_command_test_protocol write
back an incorrect response_size, that does not match the number
of bytes that were actually copied.

This is easily noticed when fuzzing with verbose host command
printing, as host_command_debug_request attempts to print
the whole response, reading the response buffer out of bounds.

BRANCH=none
BUG=chromium:854975
TEST=
  #define FUZZ_HOSTCMD_VERBOSE in test/test_config.h

  echo AwoAAAAALADvDAE= | base64 -d > crash
  Request: cmd=0013 data=03df1300007f0b000000007f00007f7f7f7f06
  or
  echo AwMAAEpK | base64 -d > crash
  Request: cmd=0003 data=03650300004a01004a

  make buildfuzztests -j
  ASAN_OPTIONS="log_path=stderr" \
    build/host/host_command_fuzz/host_command_fuzz.exe crash

Change-Id: Ibc8fe958cf6fae38fbfecec558c37ed3d676a51b
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1116199
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>

1 files changed, 2 insertions, 2 deletions

diff --git a/common/host_command.c b/common/host_command.c
index a2aab15a31..9fbd2efffb 100644
--- a/common/host_command.c
+++ b/common/host_command.c
@@ -512,7 +512,7 @@ static int host_command_read_test(struct host_cmd_handler_args *args)
 	for (i = 0; i < size; i++)
 		r->data[i] = offset + i;
 
-	args->response_size = sizeof(*r);
+	args->response_size = size * sizeof(uint32_t);
 
 	return EC_RES_SUCCESS;
 }
@@ -768,7 +768,7 @@ static int host_command_test_protocol(struct host_cmd_handler_args *args)
 
 	memset(r->buf, 0, sizeof(r->buf));
 	memcpy(r->buf, p->buf, copy_len);
-	args->response_size = p->ret_len;
+	args->response_size = copy_len;
 
 	return p->ec_result;
 }