summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMoritz Fischer <moritz.fischer@ettus.com>2016-09-12 12:57:52 -0700
committersjg <sjg@chromium.org>2016-10-09 09:30:32 -0600
commitbae5b97e8ec0fedb50350a14e76648714bc51c99 (patch)
tree9dc0d5b0232ce68da5e9ba481283c2d5704b2c88
parent7a71e4891d6fab9f9d54cee72e6012727ef45d82 (diff)
downloadu-boot-bae5b97e8ec0fedb50350a14e76648714bc51c99.tar.gz
cros_ec: Fix issue with cros_ec_flash_write command
This commit fixes an issue where data is written to an invalid memory location. The issue has been introduced in commit (88364387 cros: add cros_ec_driver) Cc: Simon Glass <sjg@chromium.org> Cc: u-boot@lists.denx.de Signed-off-by: Moritz Fischer <moritz.fischer@ettus.com> Reviewed-by: Simon Glass <sjg@chromium.org>
-rw-r--r--drivers/misc/cros_ec.c23
1 files changed, 16 insertions, 7 deletions
diff --git a/drivers/misc/cros_ec.c b/drivers/misc/cros_ec.c
index 05f1f600bd..1e5bcb0c56 100644
--- a/drivers/misc/cros_ec.c
+++ b/drivers/misc/cros_ec.c
@@ -750,15 +750,24 @@ int cros_ec_flash_erase(struct cros_ec_dev *dev, uint32_t offset, uint32_t size)
static int cros_ec_flash_write_block(struct cros_ec_dev *dev,
const uint8_t *data, uint32_t offset, uint32_t size)
{
- struct ec_params_flash_write p;
+ struct ec_params_flash_write *p;
+ int ret;
- p.offset = offset;
- p.size = size;
- assert(data && p.size <= EC_FLASH_WRITE_VER0_SIZE);
- memcpy(&p + 1, data, p.size);
+ p = malloc(sizeof(*p) + size);
+ if (!p)
+ return -ENOMEM;
+
+ p->offset = offset;
+ p->size = size;
+ assert(data && p->size <= EC_FLASH_WRITE_VER0_SIZE);
+ memcpy(p + 1, data, p->size);
- return ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0,
- &p, sizeof(p), NULL, 0) >= 0 ? 0 : -1;
+ ret = ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0,
+ p, sizeof(*p) + size, NULL, 0) >= 0 ? 0 : -1;
+
+ free(p);
+
+ return ret;
}
/**