proxmox-mirrors/fwupd
1
0
Fork 0
mirror of https://git.proxmox.com/git/fwupd synced 2025-07-27 12:54:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

rts54hid: Fix possible unsafe memcpy()

Browse Source 
PVS: A call of the 'memcpy' function will lead to underflow of the buffer.
This commit is contained in:
Richard Hughes 2022-09-09 11:58:09 +01:00
parent d8c464889a
commit e17f41b638
2 changed files with 75 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

65
plugins/rts54hid/fu-rts54hid-device.c
View File

@ -8,8 +8,6 @@
#include <fwupdplugin.h> #include <fwupdplugin.h>
#include <string.h>
#include "fu-rts54hid-common.h" #include "fu-rts54hid-common.h"
#include "fu-rts54hid-device.h" #include "fu-rts54hid-device.h"
@ -43,7 +41,16 @@ fu_rts54hid_device_set_clock_mode(FuRts54HidDevice *self, gboolean enable, GErro
.parameters = 0, .parameters = 0,
}; };
guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0}; guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0};
memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
if (!fu_memcpy_safe(buf,
sizeof(buf),
0x0, /* dst */
(const guint8 *)&cmd_buffer,
sizeof(cmd_buffer),
0x0, /* src */
sizeof(cmd_buffer),
error))
return FALSE;
if (!fu_hid_device_set_report(FU_HID_DEVICE(self), if (!fu_hid_device_set_report(FU_HID_DEVICE(self),
0x0, 0x0,
buf, buf,
@ -68,7 +75,16 @@ fu_rts54hid_device_reset_to_flash(FuRts54HidDevice *self, GError **error)
.parameters = 0, .parameters = 0,
}; };
guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0}; guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0};
memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
if (!fu_memcpy_safe(buf,
sizeof(buf),
0x0, /* dst */
(const guint8 *)&cmd_buffer,
sizeof(cmd_buffer),
0x0, /* src */
sizeof(cmd_buffer),
error))
return FALSE;
if (!fu_hid_device_set_report(FU_HID_DEVICE(self), if (!fu_hid_device_set_report(FU_HID_DEVICE(self),
0x0, 0x0,
buf, buf,
@ -102,7 +118,15 @@ fu_rts54hid_device_write_flash(FuRts54HidDevice *self,
g_return_val_if_fail(data != NULL, FALSE); g_return_val_if_fail(data != NULL, FALSE);
g_return_val_if_fail(data_sz != 0, FALSE); g_return_val_if_fail(data_sz != 0, FALSE);
memcpy(buf, &cmd_buffer, sizeof(cmd_buffer)); if (!fu_memcpy_safe(buf,
sizeof(buf),
0x0, /* dst */
(const guint8 *)&cmd_buffer,
sizeof(cmd_buffer),
0x0, /* src */
sizeof(cmd_buffer),
error))
return FALSE;
if (!fu_memcpy_safe(buf, if (!fu_memcpy_safe(buf,
sizeof(buf), sizeof(buf),
FU_RTS54HID_CMD_BUFFER_OFFSET_DATA, /* dst */ FU_RTS54HID_CMD_BUFFER_OFFSET_DATA, /* dst */
@ -141,7 +165,15 @@ fu_rts54hid_device_verify_update_fw(FuRts54HidDevice *self, FuProgress *progress
guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0}; guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0};
/* set then get */ /* set then get */
memcpy(buf, &cmd_buffer, sizeof(cmd_buffer)); if (!fu_memcpy_safe(buf,
sizeof(buf),
0x0, /* dst */
(const guint8 *)&cmd_buffer,
sizeof(cmd_buffer),
0x0, /* src */
sizeof(cmd_buffer),
error))
return FALSE;
if (!fu_hid_device_set_report(FU_HID_DEVICE(self), if (!fu_hid_device_set_report(FU_HID_DEVICE(self),
0x0, 0x0,
buf, buf,
@ -184,7 +216,16 @@ fu_rts54hid_device_erase_spare_bank(FuRts54HidDevice *self, GError **error)
.parameters = 0, .parameters = 0,
}; };
guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0}; guint8 buf[FU_RTS54FU_HID_REPORT_LENGTH] = {0};
memcpy(buf, &cmd_buffer, sizeof(cmd_buffer));
if (!fu_memcpy_safe(buf,
sizeof(buf),
0x0, /* dst */
(const guint8 *)&cmd_buffer,
sizeof(cmd_buffer),
0x0, /* src */
sizeof(cmd_buffer),
error))
return FALSE;
if (!fu_hid_device_set_report(FU_HID_DEVICE(self), if (!fu_hid_device_set_report(FU_HID_DEVICE(self),
0x0, 0x0,
buf, buf,
@ -215,7 +256,15 @@ fu_rts54hid_device_ensure_status(FuRts54HidDevice *self, GError **error)
g_autofree gchar *version = NULL; g_autofree gchar *version = NULL;
/* set then get */ /* set then get */
memcpy(buf, &cmd_buffer, sizeof(cmd_buffer)); if (!fu_memcpy_safe(buf,
sizeof(buf),
0x0, /* dst */
(const guint8 *)&cmd_buffer,
sizeof(cmd_buffer),
0x0, /* src */
sizeof(cmd_buffer),
error))
return FALSE;
if (!fu_hid_device_set_report(FU_HID_DEVICE(self), if (!fu_hid_device_set_report(FU_HID_DEVICE(self),
0x0, 0x0,
buf, buf,

22
plugins/rts54hid/fu-rts54hid-module.c
View File

@ -8,8 +8,6 @@
#include <fwupdplugin.h> #include <fwupdplugin.h>
#include <string.h>
#include "fu-rts54hid-common.h" #include "fu-rts54hid-common.h"
#include "fu-rts54hid-device.h" #include "fu-rts54hid-device.h"
#include "fu-rts54hid-module.h" #include "fu-rts54hid-module.h"
@ -70,7 +68,15 @@ fu_rts54hid_module_i2c_write(FuRts54HidModule *self,
if (parent == NULL) if (parent == NULL)
return FALSE; return FALSE;
memcpy(buf, &cmd_buffer, sizeof(cmd_buffer)); if (!fu_memcpy_safe(buf,
sizeof(buf),
0x0, /* dst */
(const guint8 *)&cmd_buffer,
sizeof(cmd_buffer),
0x0, /* src */
sizeof(cmd_buffer),
error))
return FALSE;
if (!fu_memcpy_safe(buf, if (!fu_memcpy_safe(buf,
sizeof(buf), sizeof(buf),
FU_RTS54HID_CMD_BUFFER_OFFSET_DATA, /* dst */ FU_RTS54HID_CMD_BUFFER_OFFSET_DATA, /* dst */
@ -122,7 +128,15 @@ fu_rts54hid_module_i2c_read(FuRts54HidModule *self,
return FALSE; return FALSE;
/* read from module */ /* read from module */
memcpy(buf, &cmd_buffer, sizeof(cmd_buffer)); if (!fu_memcpy_safe(buf,
sizeof(buf),
0x0, /* dst */
(const guint8 *)&cmd_buffer,
sizeof(cmd_buffer),
0x0, /* src */
sizeof(cmd_buffer),
error))
return FALSE;
if (!fu_hid_device_set_report(FU_HID_DEVICE(parent), if (!fu_hid_device_set_report(FU_HID_DEVICE(parent),
0x0, 0x0,
buf, buf,