[PATCH] ARM: rpc: ecard: bound variable-length chunk reads
From: Pengpeng Hou
Date: Sat Mar 28 2026 - 23:10:16 EST
ecard_readchunk() reads variable-length string chunk payloads into a fixed 256-byte local buffer without checking whether the encoded chunk length actually fits.
Treat overlong string chunks as invalid and terminate accepted ones before copying them into the exported chunk directory buffer.
Signed-off-by: Pengpeng Hou <pengpeng@xxxxxxxxxxx>
---
arch/arm/mach-rpc/ecard.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm/mach-rpc/ecard.c b/arch/arm/mach-rpc/ecard.c
index 972465840548..1340ef0364f8 100644
--- a/arch/arm/mach-rpc/ecard.c
+++ b/arch/arm/mach-rpc/ecard.c
@@ -367,9 +367,12 @@ int ecard_readchunk(struct in_chunk_dir *cd, ecard_t *ec, int id, int num)
if (c_id(&excd) & 0x80) {
switch (c_id(&excd) & 0x70) {
case 0x70:
+ if (c_len(&excd) >= sizeof(excd.d.string))
+ return 0;
ecard_readbytes((unsigned char *)excd.d.string, ec,
(int)c_start(&excd), c_len(&excd),
useld);
+ excd.d.string[c_len(&excd)] = '\0';
break;
case 0x00:
break;
--
2.50.1 (Apple Git-155)