greybus: beagleplay: bound bootloader RX buffer copy

When `flashing_mode` is set, `gb_tty_receive()` routes incoming bytes to
`cc1352_bootloader_rx()`. That helper appends the new bytes to the shared
`rx_buffer` with `memcpy()` but does not check that the chunk fits in the
remaining space first. The normal HDLC receive path already enforces
`MAX_RX_HDLC`, so do the same here before appending bootloader data.

If a packet would overflow the receive buffer, drop it and reset the
bootloader receive state instead of copying past the end of `rx_buffer`.

Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
Link: https://patch.msgid.link/20260322031923.58013-1-pengpeng@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/greybus/gb-beagleplay.c b/drivers/greybus/gb-beagleplay.c
index 87186f891a6acb4d4f48f87b04bf38cdcddcfad3..bca3132adacde4f94ca5c4aba1a5181f3bdf720a 100644 (file)
--- a/drivers/greybus/gb-beagleplay.c
+++ b/drivers/greybus/gb-beagleplay.c
@@ -535,6 +535,12 @@ static size_t cc1352_bootloader_rx(struct gb_beagleplay *bg, const u8 *data,
        int ret;
        size_t off = 0;
 
+       if (count > sizeof(bg->rx_buffer) - bg->rx_buffer_len) {
+               dev_err_ratelimited(&bg->sd->dev, "Bootloader RX buffer overflow");
+               bg->rx_buffer_len = 0;
+               return count;
+       }
+
        memcpy(bg->rx_buffer + bg->rx_buffer_len, data, count);
        bg->rx_buffer_len += count;