Check received frame length _before_ accepting next byte in order to avoid incorrectly rejecting payloads that are RAVE_SP_RX_BUFFER_SIZE long.
Cc: [email protected] Cc: [email protected] Cc: Lucas Stach <[email protected]> Cc: Lee Jones <[email protected]> Cc: Guenter Roeck <[email protected]> Signed-off-by: Andrey Smirnov <[email protected]> --- drivers/mfd/rave-sp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c index cec1e309b31f..76fa32006a1b 100644 --- a/drivers/mfd/rave-sp.c +++ b/drivers/mfd/rave-sp.c @@ -548,8 +548,6 @@ static int rave_sp_receive_buf(struct serdev_device *serdev, /* FALLTHROUGH */ case RAVE_SP_EXPECT_ESCAPED_DATA: - deframer->data[deframer->length++] = byte; - if (deframer->length == sizeof(deframer->data)) { dev_warn(dev, "Bad frame: Too long\n"); /* @@ -564,6 +562,8 @@ static int rave_sp_receive_buf(struct serdev_device *serdev, goto reset_framer; } + deframer->data[deframer->length++] = byte; + /* * We've extracted out special byte, now we * can go back to regular data collecting -- 2.14.3
