diff options
author | Nicolas Boichat <drinkcat@chromium.org> | 2018-06-22 21:35:34 +0800 |
---|---|---|
committer | chrome-bot <chrome-bot@chromium.org> | 2018-06-28 07:06:53 -0700 |
commit | 8e2765c4208dc86077ee7932d4e414aa79c3e354 (patch) | |
tree | fdefac2239610f2db8e8972d23f4341944adce0c /common/host_command.c | |
parent | 6c6888037c8d82228b480eeba0eaf1b0aa83e9f8 (diff) | |
download | chrome-ec-8e2765c4208dc86077ee7932d4e414aa79c3e354.tar.gz |
host_command: Fix response_size to match data that was copied
Both host_command_read_test and host_command_test_protocol write
back an incorrect response_size, that does not match the number
of bytes that were actually copied.
This is easily noticed when fuzzing with verbose host command
printing, as host_command_debug_request attempts to print
the whole response, reading the response buffer out of bounds.
BRANCH=none
BUG=chromium:854975
TEST=
#define FUZZ_HOSTCMD_VERBOSE in test/test_config.h
echo AwoAAAAALADvDAE= | base64 -d > crash
Request: cmd=0013 data=03df1300007f0b000000007f00007f7f7f7f06
or
echo AwMAAEpK | base64 -d > crash
Request: cmd=0003 data=03650300004a01004a
make buildfuzztests -j
ASAN_OPTIONS="log_path=stderr" \
build/host/host_command_fuzz/host_command_fuzz.exe crash
Change-Id: Ibc8fe958cf6fae38fbfecec558c37ed3d676a51b
Signed-off-by: Nicolas Boichat <drinkcat@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/1116199
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Diffstat (limited to 'common/host_command.c')
-rw-r--r-- | common/host_command.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/common/host_command.c b/common/host_command.c index a2aab15a31..9fbd2efffb 100644 --- a/common/host_command.c +++ b/common/host_command.c @@ -512,7 +512,7 @@ static int host_command_read_test(struct host_cmd_handler_args *args) for (i = 0; i < size; i++) r->data[i] = offset + i; - args->response_size = sizeof(*r); + args->response_size = size * sizeof(uint32_t); return EC_RES_SUCCESS; } @@ -768,7 +768,7 @@ static int host_command_test_protocol(struct host_cmd_handler_args *args) memset(r->buf, 0, sizeof(r->buf)); memcpy(r->buf, p->buf, copy_len); - args->response_size = p->ret_len; + args->response_size = copy_len; return p->ec_result; } |