Message ID | 1473710272-31724-1-git-send-email-moritz.fischer@ettus.com |
---|---|
State | Accepted |
Commit | bae5b97e8ec0fedb50350a14e76648714bc51c99 |
Delegated to: | Simon Glass |
Headers | show |
On 12 September 2016 at 13:57, Moritz Fischer <moritz.fischer@ettus.com> wrote: > This commit fixes an issue where data is written to an > invalid memory location. > The issue has been introduced in commit > (88364387 cros: add cros_ec_driver) > > Cc: Simon Glass <sjg@chromium.org> > Cc: u-boot@lists.denx.de > Signed-off-by: Moritz Fischer <moritz.fischer@ettus.com> > --- > Changes from v1: > - Fixed accidential change of command version > - Removed added whitespace > --- > drivers/misc/cros_ec.c | 23 ++++++++++++++++------- > 1 file changed, 16 insertions(+), 7 deletions(-) Reviewed-by: Simon Glass <sjg@chromium.org>
On 22 September 2016 at 22:15, Simon Glass <sjg@chromium.org> wrote: > On 12 September 2016 at 13:57, Moritz Fischer <moritz.fischer@ettus.com> wrote: >> This commit fixes an issue where data is written to an >> invalid memory location. >> The issue has been introduced in commit >> (88364387 cros: add cros_ec_driver) >> >> Cc: Simon Glass <sjg@chromium.org> >> Cc: u-boot@lists.denx.de >> Signed-off-by: Moritz Fischer <moritz.fischer@ettus.com> >> --- >> Changes from v1: >> - Fixed accidential change of command version >> - Removed added whitespace >> --- >> drivers/misc/cros_ec.c | 23 ++++++++++++++++------- >> 1 file changed, 16 insertions(+), 7 deletions(-) > > Reviewed-by: Simon Glass <sjg@chromium.org> Applied to u-boot-dm, thanks!
diff --git a/drivers/misc/cros_ec.c b/drivers/misc/cros_ec.c index 44b4f59..06a7dcc 100644 --- a/drivers/misc/cros_ec.c +++ b/drivers/misc/cros_ec.c @@ -760,15 +760,24 @@ int cros_ec_flash_erase(struct cros_ec_dev *dev, uint32_t offset, uint32_t size) static int cros_ec_flash_write_block(struct cros_ec_dev *dev, const uint8_t *data, uint32_t offset, uint32_t size) { - struct ec_params_flash_write p; + struct ec_params_flash_write *p; + int ret; - p.offset = offset; - p.size = size; - assert(data && p.size <= EC_FLASH_WRITE_VER0_SIZE); - memcpy(&p + 1, data, p.size); + p = malloc(sizeof(*p) + size); + if (!p) + return -ENOMEM; + + p->offset = offset; + p->size = size; + assert(data && p->size <= EC_FLASH_WRITE_VER0_SIZE); + memcpy(p + 1, data, p->size); - return ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0, - &p, sizeof(p), NULL, 0) >= 0 ? 0 : -1; + ret = ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0, + p, sizeof(*p) + size, NULL, 0) >= 0 ? 0 : -1; + + free(p); + + return ret; } /**
This commit fixes an issue where data is written to an invalid memory location. The issue has been introduced in commit (88364387 cros: add cros_ec_driver) Cc: Simon Glass <sjg@chromium.org> Cc: u-boot@lists.denx.de Signed-off-by: Moritz Fischer <moritz.fischer@ettus.com> --- Changes from v1: - Fixed accidential change of command version - Removed added whitespace --- drivers/misc/cros_ec.c | 23 ++++++++++++++++------- 1 file changed, 16 insertions(+), 7 deletions(-)