From patchwork Fri Jun 29 18:59:40 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sam Protsenko <semen.protsenko@linaro.org>
X-Patchwork-Id: 140634
Delivered-To: patch@linaro.org
Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp1201070ljj;
 Fri, 29 Jun 2018 11:59:49 -0700 (PDT)
X-Google-Smtp-Source: AAOMgpdP3+392s+YJ+Y/1T0UZWZGti22fqanlAsCtAfqJM7XuuxyrxkueTipDZtYHgojrr31nvmQ
X-Received: by 2002:a50:cf0b:: with SMTP id
 c11-v6mr10360788edk.35.1530298789381; 
 Fri, 29 Jun 2018 11:59:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1530298789; cv=none;
 d=google.com; s=arc-20160816;
 b=Jpxj2OEUw+Nu2ekYuFyJtGcFzO4I+xKAqlwKpukxlAUhHcjkkgTuHWHuqg9fB5o+ie
 3fdhaDAjBCLfOf1I7Z3nRukTdz9YpN87MWBt5v7T1CBrKU9WAvL2qowwwlOKLYe2e+ir
 T5+3bcDQvGCMDWtkeQlc5XvHUYkmZYK4XzfxHo0Mz2hucKjdGHTZAMoa4JbwhH1NZSgh
 AwADQmG5lSzR7JB6HruMhNUe7ZRN+if1VsbMPLCP9do1qxTxVqvDe1W6J9xJCKit2xhF
 LZP7rEUGCoH0ihrxrugsPCYMcZ3fZ5/Y5WqkakDwUPqDVabYoyCqZa1o0PzokF9JraND
 uBtw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=sender:errors-to:content-transfer-encoding:mime-version
 :list-subscribe:list-help:list-post:list-archive:list-unsubscribe
 :list-id:precedence:subject:cc:message-id:date:to:from
 :dkim-signature:arc-authentication-results;
 bh=suMKghEgdFFwwXX2jJNa88vThijiT4sImpVJu4+6ukw=;
 b=Gi8Afj3JhkFm4coT06iMDMuzysaibVMHd0bzBAASyJ3O8BGJZz652yCW+L5LB2qnik
 rOmSQV2O3hDCpfaewk7RykJJ4YYhHNQaykg/cTM7YjbNTEMTMmpzZBAKePXQ/ULm1ZJ4
 B0vJLDN3zAHrE+sSZL/ylPPNWGXtGZuDngUtCnGGpxgytewAZ+ombzhAezA4m6IkfcFk
 BJZy6Cmz32CaNC0nj8XZG1+BmARDgQFnJ2Ta402N26JB3re/SIQZJMTmY6mJcuJYRtx2
 vWBH609b2I7LppAsWBL9x04yDiphHV2GYCfAYPlsdlQtvavY4RUbqksd7vaZLrDlqZMh
 8uwg==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=iFGd67aq; 
 spf=pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 81.169.180.215 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <u-boot-bounces@lists.denx.de>
Received: from lists.denx.de (dione.denx.de. [81.169.180.215])
 by mx.google.com with ESMTP id
 o1-v6si4845867edd.161.2018.06.29.11.59.48; 
 Fri, 29 Jun 2018 11:59:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 81.169.180.215 as
 permitted sender) client-ip=81.169.180.215; 
Authentication-Results: mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org
 header.s=google header.b=iFGd67aq; 
 spf=pass (google.com: best guess record for domain of
 u-boot-bounces@lists.denx.de designates 81.169.180.215 as
 permitted sender) smtp.mailfrom=u-boot-bounces@lists.denx.de; 
 dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: by lists.denx.de (Postfix, from userid 105)
 id 8E11BC21DD3; Fri, 29 Jun 2018 18:59:46 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on lists.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-0.0 required=5.0 tests=RCVD_IN_MSPIKE_H3,
 RCVD_IN_MSPIKE_WL,
 T_DKIM_INVALID autolearn=unavailable autolearn_force=no
 version=3.4.0
Received: from lists.denx.de (localhost [IPv6:::1])
 by lists.denx.de (Postfix) with ESMTP id 8EE80C21DB3;
 Fri, 29 Jun 2018 18:59:44 +0000 (UTC)
Received: by lists.denx.de (Postfix, from userid 105)
 id 5F6F6C21DB3; Fri, 29 Jun 2018 18:59:43 +0000 (UTC)
Received: from mail-lf0-f67.google.com (mail-lf0-f67.google.com
 [209.85.215.67])
 by lists.denx.de (Postfix) with ESMTPS id F2419C21DAF
 for <u-boot@lists.denx.de>; Fri, 29 Jun 2018 18:59:42 +0000 (UTC)
Received: by mail-lf0-f67.google.com with SMTP id n96-v6so7517418lfi.1
 for <u-boot@lists.denx.de>; Fri, 29 Jun 2018 11:59:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id;
 bh=4S+DEIh37AP8dPoMrFxdkUD+8gzL6y+d14C8SS773xY=;
 b=iFGd67aq30pvvK8AmX2KumJoWMjTyTkuOqBro5znqJ2uZF7RD0jGaGUq5retVWkdt5
 XN+VSgpTOwZTaSi4QtwhvSl9eUxdsA9SnBI5plh0w+PExCn8Ss3C/5qhFyJLlYmGmMBV
 UTfcbEB+23fgzxCDaUj+swluvI0P8WGAbbeqw=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id;
 bh=4S+DEIh37AP8dPoMrFxdkUD+8gzL6y+d14C8SS773xY=;
 b=Wt6K7ttry1vEuPToxIESyMCuEyXG97dHd2NpKQpIcT6ZdYkUSiz/Y05Q7rXLcd6+pH
 KjP7MDceZzeXJT74pQmXBskAA/IiqzE0ERlAr+aoiuzo/8De5PoVfCfHO1fGN4aBN0Ay
 //1Ti9IjP8HF8l9ZK1DdgP6ofvFLNc1w8IwjK3T0cLvkLgaF+GkO6ntgy2dgg4wPobIc
 2K0pz09w7iGeqZgvNcsJQWnXfPqpxyzRSNcMYMCXaEgK/h0iiPmhhRo8jBVII6OWnlPg
 5qu+XDWYaGHpuBYpY6jIo46lmw5tPeUeR4oV5e7SkXIKJ0p7iIARR32fDH4TEKP9mL08
 Jy2g==
X-Gm-Message-State: APt69E3EjthU4e3pR72ZGT4EWDN1MBApGY9cdesEK5FmUpImv8ruT3ng
 M0WlKu27aj6XfPTJbwhGipWzgvUICJE=
X-Received: by 2002:a19:f24e:: with SMTP id
 d14-v6mr10909620lfk.18.1530298782069; 
 Fri, 29 Jun 2018 11:59:42 -0700 (PDT)
Received: from localhost ([195.238.92.132]) by smtp.gmail.com with ESMTPSA id
 e22-v6sm1636761ljj.95.2018.06.29.11.59.40
 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
 Fri, 29 Jun 2018 11:59:41 -0700 (PDT)
From: Sam Protsenko <semen.protsenko@linaro.org>
To: u-boot@lists.denx.de
Date: Fri, 29 Jun 2018 21:59:40 +0300
Message-Id: <20180629185940.9369-1-semen.protsenko@linaro.org>
X-Mailer: git-send-email 2.17.1
Cc: Tom Rini <trini@konsulko.com>, Jocelyn Bohr <bohr@google.com>
Subject: [U-Boot] [PATCH v2] cmd: fastboot: Validate user input
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <http://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
MIME-Version: 1.0
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>

In case when user provides '-' as USB controller index, like this:

    => fastboot -

data abort occurs in strcmp() function in do_fastboot(), here:

    if (!strcmp(argv[1], "udp"))

(tested on BeagleBone Black).

That's because argv[1] is NULL when user types in the '-', and null
pointer dereference occurs in strcmp() (which is ok according to C
standard specification). So we must validate user input to prevent such
behavior.

While at it, check also the result of strtoul() function and handle
error cases properly.

Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org>
Reviewed-by: Simon Glass <sjg@chromium.org>
Reviewed-by: Lukasz Majewski <lukma@denx.de>
---
Changes for v2:
  - replace argv check with argc check
  - add mentioning of testing platform in commit message

 cmd/fastboot.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/cmd/fastboot.c b/cmd/fastboot.c
index e6ae0570d5..ae3a5f627f 100644
--- a/cmd/fastboot.c
+++ b/cmd/fastboot.c
@@ -38,13 +38,18 @@ static int do_fastboot_usb(int argc, char *const argv[],
 #if CONFIG_IS_ENABLED(USB_FUNCTION_FASTBOOT)
 	int controller_index;
 	char *usb_controller;
+	char *endp;
 	int ret;
 
 	if (argc < 2)
 		return CMD_RET_USAGE;
 
 	usb_controller = argv[1];
-	controller_index = simple_strtoul(usb_controller, NULL, 0);
+	controller_index = simple_strtoul(usb_controller, &endp, 0);
+	if (*endp != '\0') {
+		pr_err("Error: Wrong USB controller index format\n");
+		return CMD_RET_FAILURE;
+	}
 
 	ret = board_usb_init(controller_index, USB_INIT_DEVICE);
 	if (ret) {
@@ -120,6 +125,12 @@ NXTARG:
 		;
 	}
 
+	/* Handle case when USB controller param is just '-' */
+	if (argc == 1) {
+		pr_err("Error: Incorrect USB controller index\n");
+		return CMD_RET_USAGE;
+	}
+
 	fastboot_init((void *)buf_addr, buf_size);
 
 	if (!strcmp(argv[1], "udp"))