On Mon, Apr 23, 2018 at 1:02 PM, Kyle Spiers <ksspi...@google.com> wrote:
> As part of the effort to remove VLAs from the kernel[1], this creates
> constants for the checksum lengths of CCITT and 8B2C and changes
> crc_calculated to be the maximum size of a checksum.
>
> https://lkml.org/lkml/2018/3/7/621
>
> Signed-off-by: Kyle Spiers <ksspi...@google.com>
Reviewed-by: Kees Cook <keesc...@chromium.org>
-Kees
> ---
> drivers/mfd/rave-sp.c | 11 +++++++++--
> 1 file changed, 9 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c
> index 5c858e784a89..99fa482419f9 100644
> --- a/drivers/mfd/rave-sp.c
> +++ b/drivers/mfd/rave-sp.c
> @@ -45,7 +45,9 @@
> #define RAVE_SP_DLE 0x10
>
> #define RAVE_SP_MAX_DATA_SIZE 64
> -#define RAVE_SP_CHECKSUM_SIZE 2 /* Worst case scenario on RDU2 */
> +#define RAVE_SP_CHECKSUM_8B2C 1
> +#define RAVE_SP_CHECKSUM_CCITT 2
> +#define RAVE_SP_CHECKSUM_SIZE RAVE_SP_CHECKSUM_CCITT
> /*
> * We don't store STX, ETX and unescaped bytes, so Rx is only
> * DATA + CSUM
> @@ -415,7 +417,12 @@ static void rave_sp_receive_frame(struct rave_sp *sp,
> const size_t payload_length = length - checksum_length;
> const u8 *crc_reported = &data[payload_length];
> struct device *dev = &sp->serdev->dev;
> - u8 crc_calculated[checksum_length];
> + u8 crc_calculated[RAVE_SP_CHECKSUM_SIZE];
> +
> + if (unlikely(length > sizeof(crc_calculated))) {
> + dev_warn(dev, "Dropping oversized frame\n");
> + return;
> + }
>
> print_hex_dump(KERN_DEBUG, "rave-sp rx: ", DUMP_PREFIX_NONE,
> 16, 1, data, length, false);
> --
> 2.17.0.484.g0c8726318c-goog
>
--
Kees Cook
Pixel Security
