Hello Valentin Longchamp,
I had a question about patch a2cb1be18254: "spi/fsl-espi: fix rx_buf in
fsl_espi_cmd_trans()/fsl_espi_rw_trans()" from May 16, 2014.
drivers/spi/spi-fsl-espi.c
396 espi_trans->n_tx = n_tx;
397 espi_trans->n_rx = trans_len;
398 espi_trans->len = trans_len + n_tx;
399 espi_trans->tx_buf = local_buf;
400 espi_trans->rx_buf = local_buf;
1) This is really weird that we share the same buffer for both sending
and receiving. My concern is that we've fixed the buffer overflow bug
by changing it to a memory corruption bug.
401 fsl_espi_do_trans(m, espi_trans);
402
403 memcpy(rx_buf + pos, espi_trans->rx_buf + n_tx,
trans_len);
^^^^^^^^^^^^^^^^^^^^^^^^^
2) Why do we have the "+ n_tx" here? "n_tx + trans_len" was a buffer
before so that means this code is still reading beyond the end of the
array.
404
405 if (loop > 0)
406 espi_trans->actual_length += espi_trans->len -
n_tx;
407 else
408 espi_trans->actual_length += espi_trans->len;
regards,
dan carpenter
--
To unsubscribe from this list: send the line "unsubscribe linux-spi" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
