github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-01 19:13:47 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph

greybus: beagleplay: bound bootloader RX buffer copy

Browse Source 
When `flashing_mode` is set, `gb_tty_receive()` routes incoming bytes to
`cc1352_bootloader_rx()`. That helper appends the new bytes to the shared
`rx_buffer` with `memcpy()` but does not check that the chunk fits in the
remaining space first. The normal HDLC receive path already enforces
`MAX_RX_HDLC`, so do the same here before appending bootloader data.

If a packet would overflow the receive buffer, drop it and reset the
bootloader receive state instead of copying past the end of `rx_buffer`.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260322031923.58013-1-pengpeng@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Pengpeng Hou 2026-03-22 11:19:23 +08:00 committed by Greg Kroah-Hartman
parent 8ca3d3b1c3
commit cbc96a916b
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/greybus/gb-beagleplay.c
View File

@ -535,6 +535,12 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
int ret;
size_t off = 0;
if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
dev_err_ratelimited(&bg->sd->dev, "Bootloader RX buffer overflow");
bg->rx_buffer_len = 0;
return count;
}
memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
bg->rx_buffer_len += count;