[PATCH v2 3/3] mfd: rave-sp: Check received frame length before accepting next byte

From: Andrey Smirnov
Date: Thu Mar 08 2018 - 12:38:41 EST


Check received frame length _before_ accepting next byte in order to
avoid incorrectly rejecting payloads that are RAVE_SP_RX_BUFFER_SIZE
long.

Cc: linux-kernel@xxxxxxxxxxxxxxx
Cc: cphealy@xxxxxxxxx
Cc: Lucas Stach <l.stach@xxxxxxxxxxxxxx>
Cc: Lee Jones <lee.jones@xxxxxxxxxx>
Cc: Guenter Roeck <linux@xxxxxxxxxxxx>
Tested-by: Lucas Stach <l.stach@xxxxxxxxxxxxxx>
Acked-for-MFD-by: Lee Jones <lee.jones@xxxxxxxxxx>
Signed-off-by: Andrey Smirnov <andrew.smirnov@xxxxxxxxx>
---
drivers/mfd/rave-sp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c
index 5c1442fa2308..7db1b32d61e2 100644
--- a/drivers/mfd/rave-sp.c
+++ b/drivers/mfd/rave-sp.c
@@ -546,8 +546,6 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
/* FALLTHROUGH */

case RAVE_SP_EXPECT_ESCAPED_DATA:
- deframer->data[deframer->length++] = byte;
-
if (deframer->length == sizeof(deframer->data)) {
dev_warn(dev, "Bad frame: Too long\n");
/*
@@ -562,6 +560,8 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
goto reset_framer;
}

+ deframer->data[deframer->length++] = byte;
+
/*
* We've extracted out special byte, now we
* can go back to regular data collecting
--
2.14.3