diff options
author | Moritz Fischer <moritz.fischer@ettus.com> | 2016-09-12 12:57:52 -0700 |
---|---|---|
committer | sjg <sjg@chromium.org> | 2016-10-09 09:30:32 -0600 |
commit | bae5b97e8ec0fedb50350a14e76648714bc51c99 (patch) | |
tree | 9dc0d5b0232ce68da5e9ba481283c2d5704b2c88 /drivers/misc/cros_ec.c | |
parent | 7a71e4891d6fab9f9d54cee72e6012727ef45d82 (diff) |
cros_ec: Fix issue with cros_ec_flash_write command
This commit fixes an issue where data is written to an
invalid memory location.
The issue has been introduced in commit
(88364387 cros: add cros_ec_driver)
Cc: Simon Glass <sjg@chromium.org>
Cc: u-boot@lists.denx.de
Signed-off-by: Moritz Fischer <moritz.fischer@ettus.com>
Reviewed-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'drivers/misc/cros_ec.c')
-rw-r--r-- | drivers/misc/cros_ec.c | 23 |
1 files changed, 16 insertions, 7 deletions
diff --git a/drivers/misc/cros_ec.c b/drivers/misc/cros_ec.c index 05f1f600bd..1e5bcb0c56 100644 --- a/drivers/misc/cros_ec.c +++ b/drivers/misc/cros_ec.c @@ -750,15 +750,24 @@ int cros_ec_flash_erase(struct cros_ec_dev *dev, uint32_t offset, uint32_t size) static int cros_ec_flash_write_block(struct cros_ec_dev *dev, const uint8_t *data, uint32_t offset, uint32_t size) { - struct ec_params_flash_write p; + struct ec_params_flash_write *p; + int ret; - p.offset = offset; - p.size = size; - assert(data && p.size <= EC_FLASH_WRITE_VER0_SIZE); - memcpy(&p + 1, data, p.size); + p = malloc(sizeof(*p) + size); + if (!p) + return -ENOMEM; + + p->offset = offset; + p->size = size; + assert(data && p->size <= EC_FLASH_WRITE_VER0_SIZE); + memcpy(p + 1, data, p->size); - return ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0, - &p, sizeof(p), NULL, 0) >= 0 ? 0 : -1; + ret = ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0, + p, sizeof(*p) + size, NULL, 0) >= 0 ? 0 : -1; + + free(p); + + return ret; } /** |