usb: sandbox: Bounds check read from buffer

The buffer is 512 bytes but read requests can be 800 bytes. Limit the
request to the size of the buffer.

Signed-off-by: Andrew Scull <ascull@google.com>
Cc: Simon Glass <sjg@chromium.org>
Cc: Marek Vasut <marex@denx.de>
Reviewed-by: Simon Glass <sjg@chromium.org>

1 files changed, 2 insertions, 0 deletions

diff --git a/drivers/usb/emul/sandbox_flash.c b/drivers/usb/emul/sandbox_flash.c
index edabc1b3a7..cc80f67133 100644
--- a/drivers/usb/emul/sandbox_flash.c
+++ b/drivers/usb/emul/sandbox_flash.c
@@ -345,6 +345,8 @@ static int sandbox_flash_bulk(struct udevice *dev, struct usb_device *udev,
 			} else {
 				if (priv->alloc_len && len > priv->alloc_len)
 					len = priv->alloc_len;
+				if (len > sizeof(priv->buff))
+					len = sizeof(priv->buff);
 				memcpy(buff, priv->buff, len);
 				priv->phase = PHASE_STATUS;
 			}