diff mbox

[U-Boot,v2] cros_ec: Fix issue with cros_ec_flash_write command

Message ID 1473710272-31724-1-git-send-email-moritz.fischer@ettus.com
State Accepted
Commit bae5b97e8ec0fedb50350a14e76648714bc51c99
Delegated to: Simon Glass
Headers show

Commit Message

Moritz Fischer Sept. 12, 2016, 7:57 p.m. UTC 
This commit fixes an issue where data is written to an
invalid memory location.
The issue has been introduced in commit
(88364387 cros: add cros_ec_driver)

Cc: Simon Glass <sjg@chromium.org>
Cc: u-boot@lists.denx.de
Signed-off-by: Moritz Fischer <moritz.fischer@ettus.com>
---
Changes from v1:
 - Fixed accidential change of command version
 - Removed added whitespace
---
 drivers/misc/cros_ec.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

Comments

Simon Glass Sept. 23, 2016, 4:15 a.m. UTC | #1 
On 12 September 2016 at 13:57, Moritz Fischer <moritz.fischer@ettus.com> wrote:
> This commit fixes an issue where data is written to an
> invalid memory location.
> The issue has been introduced in commit
> (88364387 cros: add cros_ec_driver)
>
> Cc: Simon Glass <sjg@chromium.org>
> Cc: u-boot@lists.denx.de
> Signed-off-by: Moritz Fischer <moritz.fischer@ettus.com>
> ---
> Changes from v1:
>  - Fixed accidential change of command version
>  - Removed added whitespace
> ---
>  drivers/misc/cros_ec.c | 23 ++++++++++++++++-------
>  1 file changed, 16 insertions(+), 7 deletions(-)

Reviewed-by: Simon Glass <sjg@chromium.org>
Simon Glass Oct. 2, 2016, 12:34 a.m. UTC | #2 
On 22 September 2016 at 22:15, Simon Glass <sjg@chromium.org> wrote:
> On 12 September 2016 at 13:57, Moritz Fischer <moritz.fischer@ettus.com> wrote:
>> This commit fixes an issue where data is written to an
>> invalid memory location.
>> The issue has been introduced in commit
>> (88364387 cros: add cros_ec_driver)
>>
>> Cc: Simon Glass <sjg@chromium.org>
>> Cc: u-boot@lists.denx.de
>> Signed-off-by: Moritz Fischer <moritz.fischer@ettus.com>
>> ---
>> Changes from v1:
>>  - Fixed accidential change of command version
>>  - Removed added whitespace
>> ---
>>  drivers/misc/cros_ec.c | 23 ++++++++++++++++-------
>>  1 file changed, 16 insertions(+), 7 deletions(-)
>
> Reviewed-by: Simon Glass <sjg@chromium.org>

Applied to u-boot-dm, thanks!
diff mbox

Patch

diff --git a/drivers/misc/cros_ec.c b/drivers/misc/cros_ec.c
index 44b4f59..06a7dcc 100644
--- a/drivers/misc/cros_ec.c
+++ b/drivers/misc/cros_ec.c
@@ -760,15 +760,24 @@  int cros_ec_flash_erase(struct cros_ec_dev *dev, uint32_t offset, uint32_t size)
 static int cros_ec_flash_write_block(struct cros_ec_dev *dev,
 		const uint8_t *data, uint32_t offset, uint32_t size)
 {
-	struct ec_params_flash_write p;
+	struct ec_params_flash_write *p;
+	int ret;
 
-	p.offset = offset;
-	p.size = size;
-	assert(data && p.size <= EC_FLASH_WRITE_VER0_SIZE);
-	memcpy(&p + 1, data, p.size);
+	p = malloc(sizeof(*p) + size);
+	if (!p)
+		return -ENOMEM;
+
+	p->offset = offset;
+	p->size = size;
+	assert(data && p->size <= EC_FLASH_WRITE_VER0_SIZE);
+	memcpy(p + 1, data, p->size);
 
-	return ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0,
-			  &p, sizeof(p), NULL, 0) >= 0 ? 0 : -1;
+	ret = ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0,
+			  p, sizeof(*p) + size, NULL, 0) >= 0 ? 0 : -1;
+
+	free(p);
+
+	return ret;
 }
 
 /**