[PATCH] greybus: beagleplay: bound bootloader RX buffer copy

Next message: Pengpeng Hou: "[PATCH] net/nfc: bound SENSF response copy length"
Previous message: Pengpeng Hou: "[PATCH] mlx5: bound raw flow rule match parameter copies"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pengpeng Hou

Date: Sat Mar 21 2026 - 23:20:06 EST

When `flashing_mode` is set, `gb_tty_receive()` routes incoming bytes to
`cc1352_bootloader_rx()`. That helper appends the new bytes to the shared
`rx_buffer` with `memcpy()` but does not check that the chunk fits in the
remaining space first. The normal HDLC receive path already enforces
`MAX_RX_HDLC`, so do the same here before appending bootloader data.

If a packet would overflow the receive buffer, drop it and reset the
bootloader receive state instead of copying past the end of `rx_buffer`.

Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
drivers/greybus/gb-beagleplay.c | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c
index 87186f891a6a..bca3132adacd 100644
--- a/drivers/greybus/gb-beagleplay.c
+++ b/drivers/greybus/gb-beagleplay.c
@@ -535,6 +535,12 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
int ret;
size_t off = 0;

+ if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
+ dev_err_ratelimited(&bg->sd->dev, "Bootloader RX buffer overflow");
+ bg->rx_buffer_len = 0;
+ return count;
+ }
+
memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
bg->rx_buffer_len += count;

--
2.50.1 (Apple Git-155)