[PATCH] ARM: rpc: ecard: bound variable-length chunk reads

Sat Mar 28 20:09:46 PDT 2026

ecard_readchunk() reads variable-length string chunk payloads into a fixed 256-byte local buffer without checking whether the encoded chunk length actually fits.

Treat overlong string chunks as invalid and terminate accepted ones before copying them into the exported chunk directory buffer.

Signed-off-by: Pengpeng Hou <pengpeng at iscas.ac.cn>
---
 arch/arm/mach-rpc/ecard.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/arch/arm/mach-rpc/ecard.c b/arch/arm/mach-rpc/ecard.c
index 972465840548..1340ef0364f8 100644
--- a/arch/arm/mach-rpc/ecard.c
+++ b/arch/arm/mach-rpc/ecard.c
@@ -367,9 +367,12 @@ int ecard_readchunk(struct in_chunk_dir *cd, ecard_t *ec, int id, int num)
 	if (c_id(&excd) & 0x80) {
 		switch (c_id(&excd) & 0x70) {
 		case 0x70:
+			if (c_len(&excd) >= sizeof(excd.d.string))
+				return 0;
 			ecard_readbytes((unsigned char *)excd.d.string, ec,
 					(int)c_start(&excd), c_len(&excd),
 					useld);
+			excd.d.string[c_len(&excd)] = '\0';
 			break;
 		case 0x00:
 			break;
-- 
2.50.1 (Apple Git-155)


