diff options
author | Alec Berg <alecaberg@chromium.org> | 2015-08-04 10:31:31 -0700 |
---|---|---|
committer | ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> | 2015-08-04 20:50:36 +0000 |
commit | 6132b4fbc0590f8ea3f36649a77d36d28b92a95c (patch) | |
tree | 38d630b09e8f2a3ff7dc510cb98d62c1f87f5f7e /common/usb_pd_tcpc.c | |
parent | e8720732b5caea3428bf255a9f96b7b166c7ac84 (diff) | |
download | chrome-ec-6132b4fbc0590f8ea3f36649a77d36d28b92a95c.tar.gz |
tcpc: fix rx buffer overrun bug
Fix buffer overrun bug when retrieving a PD message. Bug was
introduced in CL:289005
BUG=chrome-os-partner:43482
BRANCH=none
TEST=tested on samus. plug and unplug zinger on both ports and
make sure PD MCU never crashes.
Change-Id: I9d2dec0cab07f389fd935d616ab7443da412d4bd
Signed-off-by: Alec Berg <alecaberg@chromium.org>
Reviewed-on: https://chromium-review.googlesource.com/290417
Reviewed-by: Shawn N <shawnn@chromium.org>
Diffstat (limited to 'common/usb_pd_tcpc.c')
-rw-r--r-- | common/usb_pd_tcpc.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/common/usb_pd_tcpc.c b/common/usb_pd_tcpc.c index c899065b42..d7314b1a53 100644 --- a/common/usb_pd_tcpc.c +++ b/common/usb_pd_tcpc.c @@ -1002,8 +1002,12 @@ int tcpc_set_msg_header(int port, int power_role, int data_role) int tcpc_get_message(int port, uint32_t *payload, int *head) { - memcpy(payload, pd[port].rx_payload, sizeof(pd[port].rx_payload)); - *head = pd[port].rx_head[pd[port].rx_buf_tail]; + /* Get message at tail of RX buffer */ + int idx = pd[port].rx_buf_tail; + + memcpy(payload, pd[port].rx_payload[idx], + sizeof(pd[port].rx_payload[idx])); + *head = pd[port].rx_head[idx]; return EC_SUCCESS; } |