fsi: occ: bound SRAM write payload length

[PATCH] fsi: occ: bound SRAM write payload length
Posted by Pengpeng Hou 4 days, 7 hours ago
occ_putsram() rounds the requested SRAM write length up to an eight-byte
boundary and then copies that payload into occ->buffer without checking
whether the rounded length still fits behind the OCC/SBE command header.

Reject payloads that would overrun the fixed response buffer instead of
copying past the end of occ->buffer.

Fixes: 7ed98dddb764 ("fsi: Add On-Chip Controller (OCC) driver")
Signed-off-by: Pengpeng Hou <pengpeng@iscas.ac.cn>
---
 drivers/fsi/fsi-occ.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/drivers/fsi/fsi-occ.c b/drivers/fsi/fsi-occ.c
index 416d176f0936..f52cf539bbda 100644
--- a/drivers/fsi/fsi-occ.c
+++ b/drivers/fsi/fsi-occ.c
@@ -315,6 +315,7 @@ static int occ_putsram(struct occ *occ, const void *data, ssize_t len,
 		       u8 seq_no, u16 checksum)
 {
 	u32 data_len = ((len + 7) / 8) * 8;	/* must be multiples of 8 B */
+	size_t max_data_len;
 	size_t cmd_len, parsed_len, resp_data_len;
 	size_t resp_len = OCC_MAX_RESP_WORDS;
 	__be32 *buf = occ->buffer;
@@ -345,6 +346,11 @@ static int occ_putsram(struct occ *occ, const void *data, ssize_t len,
 		break;
 	}
 
+	max_data_len = OCC_MAX_RESP_WORDS * sizeof(*buf);
+	max_data_len -= (5 + idx) * sizeof(*buf);
+	if (data_len > max_data_len)
+		return -EINVAL;
+
 	buf[4 + idx] = cpu_to_be32(data_len);
 	memcpy(&buf[5 + idx], data, len);
 
-- 
2.50.1 (Apple Git-155)