cros_ec: Fix issue with cros_ec_flash_write command

This commit fixes an issue where data is written to an invalid memory location. The issue has been introduced in commit (8836438 cros: add cros_ec_driver) Cc: Simon Glass <sjg@chromium.org> Cc: u-boot@lists.denx.de Signed-off-by: Moritz Fischer <moritz.fischer@ettus.com> Reviewed-by: Simon Glass <sjg@chromium.org>
Android-Boot-Manager · Oct 9, 2016 · bae5b97 · bae5b97
1 parent 7a71e48
commit bae5b97
Showing 1 changed file with 16 additions and 7 deletions.
diff --git a/drivers/misc/cros_ec.c b/drivers/misc/cros_ec.c
@@ -750,15 +750,24 @@ int cros_ec_flash_erase(struct cros_ec_dev *dev, uint32_t offset, uint32_t size)
 static int cros_ec_flash_write_block(struct cros_ec_dev *dev,
 		const uint8_t *data, uint32_t offset, uint32_t size)
 {
-	struct ec_params_flash_write p;
+	struct ec_params_flash_write *p;
+	int ret;
 
-	p.offset = offset;
-	p.size = size;
-	assert(data && p.size <= EC_FLASH_WRITE_VER0_SIZE);
-	memcpy(&p + 1, data, p.size);
+	p = malloc(sizeof(*p) + size);
+	if (!p)
+		return -ENOMEM;
+
+	p->offset = offset;
+	p->size = size;
+	assert(data && p->size <= EC_FLASH_WRITE_VER0_SIZE);
+	memcpy(p + 1, data, p->size);
 
-	return ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0,
-			  &p, sizeof(p), NULL, 0) >= 0 ? 0 : -1;
+	ret = ec_command_inptr(dev, EC_CMD_FLASH_WRITE, 0,
+			  p, sizeof(*p) + size, NULL, 0) >= 0 ? 0 : -1;
+
+	free(p);
+
+	return ret;
 }
 
 /**