On Mon, Apr 30, 2018 at 5:38 AM, Lee Jones <[email protected]> wrote: > On Fri, 27 Apr 2018, Kyle Spiers wrote: > >> As part of the effort to remove VLAs from the kernel[1], this creates >> constants for the checksum lengths of CCITT and 8B2C and changes >> crc_calculated to be the maximum size of a checksum. >> >> https://lkml.org/lkml/2018/3/7/621 >> >> Signed-off-by: Kyle Spiers <[email protected]> >> --- >> drivers/mfd/rave-sp.c | 11 +++++++++-- >> 1 file changed, 9 insertions(+), 2 deletions(-) > > Applied, thanks. > > Kees, do you want me to add your Ack?
Sure! Reviewed-by: Kees Cook <[email protected]> Thanks! -Kees > >> diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c >> index 5c858e784a89..4ce96b7137db 100644 >> --- a/drivers/mfd/rave-sp.c >> +++ b/drivers/mfd/rave-sp.c >> @@ -45,7 +45,9 @@ >> #define RAVE_SP_DLE 0x10 >> >> #define RAVE_SP_MAX_DATA_SIZE 64 >> -#define RAVE_SP_CHECKSUM_SIZE 2 /* Worst case scenario on >> RDU2 */ >> +#define RAVE_SP_CHECKSUM_8B2C 1 >> +#define RAVE_SP_CHECKSUM_CCITT 2 >> +#define RAVE_SP_CHECKSUM_SIZE RAVE_SP_CHECKSUM_CCITT >> /* >> * We don't store STX, ETX and unescaped bytes, so Rx is only >> * DATA + CSUM >> @@ -415,7 +417,12 @@ static void rave_sp_receive_frame(struct rave_sp *sp, >> const size_t payload_length = length - checksum_length; >> const u8 *crc_reported = &data[payload_length]; >> struct device *dev = &sp->serdev->dev; >> - u8 crc_calculated[checksum_length]; >> + u8 crc_calculated[RAVE_SP_CHECKSUM_SIZE]; >> + >> + if (unlikely(checksum_length > sizeof(crc_calculated))) { >> + dev_warn(dev, "Checksum too long, dropping\n"); >> + return; >> + } >> >> print_hex_dump(KERN_DEBUG, "rave-sp rx: ", DUMP_PREFIX_NONE, >> 16, 1, data, length, false); > > -- > Lee Jones [李琼斯] > Linaro Services Technical Lead > Linaro.org │ Open source software for ARM SoCs > Follow Linaro: Facebook | Twitter | Blog -- Kees Cook Pixel Security
