Wrong CFI offset in cfi_cmdset_0001.c
Nicolas Pitre
nico at cam.org
Tue Oct 25 14:45:47 EDT 2005
On Mon, 24 Oct 2005, Jared Hulbert wrote:
> Sorry. It took me longer than it should have to track down a P30 part
> and get it on my machine. Does this work for you?
I have a problem convincing myself it should work at all.
> --- trunk/drivers/mtd/chips/cfi_cmdset_0001.c (revision 8)
> +++ trunk/drivers/mtd/chips/cfi_cmdset_0001.c (revision 10)
> @@ -285,7 +285,7 @@
> sizeof(struct cfi_intelext_otpinfo);
>
> /* Burst Read info */
> - extra_size += (extp->MinorVersion < '4') ? 6 : 5;
> + extra_size += (unsigned int)extp->extra[extra_size+1]+2;
Here you're dereferencing the extra array which (initially) has not even
been read into memory yet. It probably only work because it just
happens that extra_size is not increased enough to bypass the later
"goto again" which would manage to read the extra data needed and things
would get back on track at that point. but that's relying on pure luck.
Could you fix that and get rid of the needless cast please? (extra is
uint8_t so there is no signedness issues to worry about)
Nicolas
More information about the linux-mtd
mailing list