diff options
| author | Boris Mittelberg <bmbm@google.com> | 2021-12-30 13:47:51 -0800 |
|---|---|---|
| committer | Commit Bot <commit-bot@chromium.org> | 2022-01-04 21:58:16 +0000 |
| commit | 7254d0bfe2499f6952c191459248b1fa28fea8cb (patch) | |
| tree | c7a820acbb7b8ccd41177eb54886388a1503f212 /chip | |
| parent | 13bd39d7220ac734348c0c95430789bcb4286068 (diff) | |
| download | chrome-ec-7254d0bfe2499f6952c191459248b1fa28fea8cb.tar.gz | |
npcx: fix port80 buffer overflow
AP might write to FIFO while we are reading it. This will
cause buffer overflow (count > 15). The fix adds length
checking.
BRANCH=none
BUG=b:212528580, b:210582280
TEST=none
Signed-off-by: Boris Mittelberg <bmbm@google.com>
Change-Id: I71e3d4857ef059ef0ce4ce79725c057897e1d004
Reviewed-on: https://chromium-review.googlesource.com/c/chromiumos/platform/ec/+/3362501
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Reviewed-by: caveh jalali <caveh@chromium.org>
Commit-Queue: caveh jalali <caveh@chromium.org>
Diffstat (limited to 'chip')
| -rw-r--r-- | chip/npcx/lpc.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/chip/npcx/lpc.c b/chip/npcx/lpc.c index c80bf2960b..d52b9c968a 100644 --- a/chip/npcx/lpc.c +++ b/chip/npcx/lpc.c @@ -584,7 +584,8 @@ static void lpc_port80_interrupt(void) uint32_t code = 0; /* buffer Port80 data to the local buffer if FIFO is not empty */ - while (IS_BIT_SET(NPCX_DP80STS, NPCX_DP80STS_FNE)) + while (IS_BIT_SET(NPCX_DP80STS, NPCX_DP80STS_FNE) && + (count < ARRAY_SIZE(port80_buf))) port80_buf[count++] = NPCX_DP80BUF; for (i = 0; i < count; i++) { |