Fix buffer overflow in kernel cmdline handling

Flashing a signed vbmeta image adds extra
parameters to the kernel command line, overflowing
the buffer and corrupting the global data struct.
Increase the command line buffer size from 512
to 1024 to accomodate the extra data, and change
the sprintf's to snprintf's to prevent this from
happening if more parameters are added later.

This bug was exposed by
Idd55dde79eed793dccdd7319600fbd04e11ca12d.

Bug: 112397808
Test: Device boots with images from console and
      from local build.

Change-Id: If73d04007d54193527e11e11c6ef326110e899b6

1 files changed, 3 insertions, 3 deletions

diff --git a/drivers/usb/gadget/f_fastboot.c b/drivers/usb/gadget/f_fastboot.c
index ae8fe80955..df5e458ca3 100644
--- a/drivers/usb/gadget/f_fastboot.c
+++ b/drivers/usb/gadget/f_fastboot.c
@@ -2097,13 +2097,13 @@ int do_boota(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[]) {
 			printf(" boot '%s%s' still\n",
 					avb_loadpart->partition_name, avb_out_data->ab_suffix);
 		}
-		char bootargs_sec[ANDR_BOOT_ARGS_SIZE];
+		char bootargs_sec[ANDR_BOOT_EXTRA_ARGS_SIZE];
 		if (lock_status == FASTBOOT_LOCK) {
-			sprintf(bootargs_sec,
+			snprintf(bootargs_sec, sizeof(bootargs_sec),
 					"androidboot.verifiedbootstate=green androidboot.slot_suffix=%s %s",
 					avb_out_data->ab_suffix, avb_out_data->cmdline);
 		} else {
-			sprintf(bootargs_sec,
+			snprintf(bootargs_sec, sizeof(bootargs_sec),
 					"androidboot.verifiedbootstate=orange androidboot.slot_suffix=%s %s",
 					avb_out_data->ab_suffix, avb_out_data->cmdline);
 		}