cr50: usb_upgrade: pass proper number of bytes to the vendor commands

The code invoking vendor commands callbacks rightly passes the pointer
to the command payload as the address right after the subcommand
field, but does not deduct the size of the subcommand field from the
size of the payload passed to the handler.

This patch fixes the issue, the command handlers do not see two extra
bytes at the tail of the command any more.

BRANCH=cr50
BUG=b:62294740, b:35545754
TEST=verified that vendor commands sent over USB and TPM still work
      properly (in particular the TURN_UPDATE_ON command).

Change-Id: I11a45f65163044f808a82b214f9c5faf775f9020
Signed-off-by: Vadim Bendebury <vbendeb@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/522943
Reviewed-by: Aseda Aboagye <aaboagye@chromium.org>
(cherry picked from commit d0ee126b4cdc368c36ae6660d66fed1524476e59)
Reviewed-on: https://chromium-review.googlesource.com/538563

1 files changed, 5 insertions, 2 deletions

diff --git a/chip/g/usb_upgrade.c b/chip/g/usb_upgrade.c
index 1379e38c1d..ff1e7f4048 100644
--- a/chip/g/usb_upgrade.c
+++ b/chip/g/usb_upgrade.c
@@ -144,6 +144,7 @@ static int try_vendor_command(struct consumer const *consumer, size_t count)
 			  count - offsetof(struct update_frame_header, cmd))) {
 		uint16_t *subcommand;
 		size_t response_size;
+		size_t request_size;
 
 		/* looks good, let's process it. */
 		rv = 1;
@@ -152,10 +153,12 @@ static int try_vendor_command(struct consumer const *consumer, size_t count)
 		queue_advance_head(consumer->queue, count);
 
 		subcommand = (uint16_t *)(cmd_buffer + 1);
+		request_size = count - sizeof(struct update_frame_header) -
+			sizeof(*subcommand);
+
 		usb_extension_route_command(be16toh(*subcommand),
 					    subcommand + 1,
-					    count -
-					    sizeof(struct update_frame_header),
+					    request_size,
 					    &response_size);
 
 		QUEUE_ADD_UNITS(&upgrade_to_usb, subcommand + 1, response_size);