From 0cefc2eeb5cd87cd42163379cfcf75d417b77f80 Mon Sep 17 00:00:00 2001
From: Todd Broch <tbroch@chromium.org>
Date: Fri, 23 Jan 2015 17:36:40 -0800
Subject: pd: Validate size of discover identity received by DFP.

Signed-off-by: Todd Broch <tbroch@chromium.org>

BRANCH=samus
BUG=chrome-os-partner:35859
TEST=manual, with CONFIG_CMD_USB_PD_PE and hoho in C1

> pe 1 dump
IDENT:
        [ID Header] 6c0018d1 :: AMA, VID:18d1
        [Cert Stat] 00000000
        [2] 50100001    [3] 1100000b
SVID[0]: ff01 MODES: [1] 00000485
SVID[1]: 18d1 MODES: [1] 00000001
MODE[1]: svid:ff01 caps:00000485

Now see only the 2 additional product type VDOs (product, AMA)
Bits still make sense.
  [2] 50100001 == 5010:Pid 0001:bcdDevice
  [3] 1100000b == 1:hw vers 1:fw version
                  b:vbus req, USB 2.0 billboard only

Change-Id: Ie8fb74fa55a25ee760009d5a2858a62b0f696c92
Reviewed-on: https://chromium-review.googlesource.com/243080
Trybot-Ready: Todd Broch <tbroch@chromium.org>
Tested-by: Todd Broch <tbroch@chromium.org>
Reviewed-by: Vincent Palatin <vpalatin@chromium.org>
Commit-Queue: Todd Broch <tbroch@chromium.org>
---
 common/usb_pd_policy.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/common/usb_pd_policy.c b/common/usb_pd_policy.c
index 6e5f32c3d5..60dd29e52d 100644
--- a/common/usb_pd_policy.c
+++ b/common/usb_pd_policy.c
@@ -191,11 +191,13 @@ void pd_dfp_pe_init(int port)
 	pe[port].amode.index = -1;
 }
 
-static void dfp_consume_identity(int port, uint32_t *payload)
+static void dfp_consume_identity(int port, int cnt, uint32_t *payload)
 {
 	int ptype = PD_IDH_PTYPE(payload[VDO_I(IDH)]);
+	size_t identity_size = MIN(sizeof(pe[port].identity),
+				   (cnt - 1) * sizeof(uint32_t));
 	pd_dfp_pe_init(port);
-	memcpy(&pe[port].identity, payload + 1, sizeof(pe[port].identity));
+	memcpy(&pe[port].identity, payload + 1, identity_size);
 	switch (ptype) {
 	case IDH_PTYPE_AMA:
 		/* TODO(tbroch) do I disable VBUS here if power contract
@@ -493,7 +495,7 @@ int pd_svdm(int port, int cnt, uint32_t *payload, uint32_t **rpayload)
 		switch (cmd) {
 #ifdef CONFIG_USB_PD_ALT_MODE_DFP
 		case CMD_DISCOVER_IDENT:
-			dfp_consume_identity(port, payload);
+			dfp_consume_identity(port, cnt, payload);
 			rsize = dfp_discover_svids(port, payload);
 			break;
 		case CMD_DISCOVER_SVID:
-- 
cgit v1.2.1