Wrong CFI offset in cfi_cmdset_0001.c

Jared Hulbert jaredeh at gmail.com
Tue Oct 25 16:02:42 EDT 2005 

On 10/25/05, Nicolas Pitre <nico at cam.org> wrote:
> On Mon, 24 Oct 2005, Jared Hulbert wrote:
>
> > Sorry. It took me longer than it should have to track down a P30 part
> > and get it on my machine.  Does this work for you?
>
> I have a problem convincing myself it should work at all.
>
> > --- trunk/drivers/mtd/chips/cfi_cmdset_0001.c (revision 8)
> > +++ trunk/drivers/mtd/chips/cfi_cmdset_0001.c (revision 10)
> > @@ -285,7 +285,7 @@
> >                             sizeof(struct cfi_intelext_otpinfo);
> >
> >               /* Burst Read info */
> > -             extra_size += (extp->MinorVersion < '4') ? 6 : 5;
> > +             extra_size += (unsigned int)extp->extra[extra_size+1]+2;
>
> Here you're dereferencing the extra array which (initially) has not even
> been read into memory yet.  It probably only work because it just
> happens that extra_size is not increased enough to bypass the later
> "goto again" which would manage to read the extra data needed and things
> would get back on track at that point.  but that's relying on pure luck.

Yeah. Opps kind of tacky.

> Could you fix that and get rid of the needless cast please?  (extra is
> uint8_t so there is no signedness issues to worry about)

How's this look?

Index: trunk/drivers/mtd/chips/cfi_cmdset_0001.c
===================================================================
--- trunk/drivers/mtd/chips/cfi_cmdset_0001.c	(revision 8)
+++ trunk/drivers/mtd/chips/cfi_cmdset_0001.c	(revision 11)
@@ -285,7 +285,10 @@
 			      sizeof(struct cfi_intelext_otpinfo);

 		/* Burst Read info */
-		extra_size += (extp->MinorVersion < '4') ? 6 : 5;
+		extra_size += 2;
+		if (extp_size < sizeof(*extp) + extra_size)
+			goto need_more;
+		extra_size += extp->extra[extra_size-1];

 		/* Number of hardware-partitions */
 		extra_size += 1;
@@ -519,7 +522,7 @@
 		       sizeof(struct cfi_intelext_otpinfo);

 		/* Burst Read info */
-		offs += (extp->MinorVersion < '4') ? 6 : 5;
+		offs += extp->extra[offs+1]+2;

 		/* Number of partition regions */
 		numregions = extp->extra[offs];

More information about the linux-mtd mailing list