usb: pd: Avoid buffer overrun during msg_rx



When copying the buffer to the rx_msg structure, ensure
that we do not copy more than the payload buffer size.
Guard the unknown len parameter within a min() check.

Change-Id: I55feff0dbee59b680a42878a38da8e9742332008
Signed-off-by: Jack Pham <jackp@codeaurora.org>

parent f4baeb13

drivers/usb/pd/policy_engine.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -653,7 +653,7 @@ static void phy_msg_received(struct usbpd *pd, enum pd_msg_type type,

		rx_msg->type = PD_MSG_HDR_TYPE(header);
		rx_msg->len = PD_MSG_HDR_COUNT(header);
		memcpy(&rx_msg->payload, buf, len);
		memcpy(&rx_msg->payload, buf, min(len, sizeof(rx_msg->payload)));

		spin_lock_irqsave(&pd->rx_lock, flags);
		list_add_tail(&rx_msg->entry, &pd->rx_q);