From c39b242b643da24676fd02ea83f6b6aba0a4d69a Mon Sep 17 00:00:00 2001
From: Jack Pham <jackp@codeaurora.org>
Date: Fri, 10 Feb 2017 15:33:29 -0800
Subject: [PATCH] usb: pd: Avoid buffer overrun during msg_rx

When copying the buffer to the rx_msg structure, ensure
that we do not copy more than the payload buffer size.
Guard the unknown len parameter within a min() check.

Change-Id: I55feff0dbee59b680a42878a38da8e9742332008
Signed-off-by: Jack Pham <jackp@codeaurora.org>
---
 drivers/usb/pd/policy_engine.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/pd/policy_engine.c b/drivers/usb/pd/policy_engine.c
index 611750e209f9..191a3f4b515a 100644
--- a/drivers/usb/pd/policy_engine.c
+++ b/drivers/usb/pd/policy_engine.c
@@ -660,7 +660,7 @@ static void phy_msg_received(struct usbpd *pd, enum pd_msg_type type,
 
 	rx_msg->type = PD_MSG_HDR_TYPE(header);
 	rx_msg->len = PD_MSG_HDR_COUNT(header);
-	memcpy(&rx_msg->payload, buf, len);
+	memcpy(&rx_msg->payload, buf, min(len, sizeof(rx_msg->payload)));
 
 	spin_lock_irqsave(&pd->rx_lock, flags);
 	list_add_tail(&rx_msg->entry, &pd->rx_q);