[U-Boot] [PATCH] cros_ec: Fix issue with cros_ec_flash_write command
This commit fixes an issue where data is written to an invalid memory location. The issue has been introduced in commit 88364387 cros: add cros_ec_driver
Signed-off-by: Moritz Fischer moritz.fischer@ettus.com Cc: u-boot@lists.denx.de --- drivers/misc/cros_ec.c | 25 ++++++++++++++++++------- 1 file changed, 18 insertions(+), 7 deletions(-)
diff --git a/drivers/misc/cros_ec.c b/drivers/misc/cros_ec.c index 44b4f59..6079e52 100644 --- a/drivers/misc/cros_ec.c +++ b/drivers/misc/cros_ec.c @@ -760,15 +760,26 @@ int cros_ec_flash_erase(struct cros_ec_dev *dev, uint32_t offset, uint32_t size) static int cros_ec_flash_write_block(struct cros_ec_dev *dev, const uint8_t *data, uint32_t offset, uint32_t size) { - struct ec_params_flash_write p; + struct ec_params_flash_write *p; + int ret;
- p.offset = offset; - p.size = size; - assert(data && p.size <= EC_FLASH_WRITE_VER0_SIZE); - memcpy(&p + 1, data, p.size); + p = malloc(sizeof(*p) + size); + if (!p) + return -ENOMEM; + + + p->offset = offset; + p->size = size; + assert(data && p->size <= EC_FLASH_WRITE_VER0_SIZE); + memcpy(p + 1, data, p->size);
- return ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0, - &p, sizeof(p), NULL, 0) >= 0 ? 0 : -1; + ret = ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 1, + p, sizeof(*p) + size, NULL, 0) >= 0 ? 0 : -1; + + free(p); + + + return ret; }
/**
Hi Simon,
On Mon, Sep 12, 2016 at 1:48 PM, Moritz Fischer moritz.fischer@ettus.com wrote:
return ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0,&p, sizeof(p), NULL, 0) >= 0 ? 0 : -1;
ret = ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 1,p, sizeof(*p) + size, NULL, 0) >= 0 ? 0 : -1;
This shouldn't touch the command version ... I'll resend v2 ... sorry for the noise ...
Moritz
participants (1)
-
Moritz Fischer