[PATCH v2 2/2] firmware: arm_scpi: check the payload length in scpi_send_message

Jon Medhurst (Tixy) tixy at linaro.org
Fri Dec 9 01:57:07 PST 2016


On Fri, 2016-11-25 at 01:54 +0100, Martin Blumenstingl wrote:
> This adds a sanity check to ensure we're not writing data beyond the
> end of our rx_buf and tx_buf. Currently we are still far from reaching
> this limit, so this is a non-critical fix.
> 
> Signed-off-by: Martin Blumenstingl <martin.blumenstingl at googlemail.com>
> ---
>  drivers/firmware/arm_scpi.c | 5 +++++
>  1 file changed, 5 insertions(+)
> 
> diff --git a/drivers/firmware/arm_scpi.c b/drivers/firmware/arm_scpi.c
> index 8c183d8..78ea8c7 100644
> --- a/drivers/firmware/arm_scpi.c
> +++ b/drivers/firmware/arm_scpi.c
> @@ -538,6 +538,11 @@ static int scpi_send_message(u8 idx, void *tx_buf, unsigned int tx_len,
>  			scpi_info->num_chans;
>  	scpi_chan = scpi_info->channels + chan;
>  
> +	if (tx_len > scpi_chan->max_payload_len)
> +		return -EINVAL;
> +	if (rx_len > scpi_chan->max_payload_len)
> +		return -EINVAL;

What is max_payload_len? I don't see it in anywhere in the kernel tree.
Also, why is the check needed? Surely having a channel not be able to
support the requirements of the SCPI protocol is a bit of a
design/configuration flaw of the system and shouldn't happen. If a check
is really needed perhaps it also warrants a WARN_ON or similar?

> +
>  	msg = get_scpi_xfer(scpi_chan);
>  	if (!msg)
>  		return -ENOMEM;

-- 
Tixy




More information about the linux-amlogic mailing list