diff options
| -rw-r--r-- | ft2232_spi.c | 3 | ||||
| -rw-r--r-- | ichspi.c | 13 | ||||
| -rw-r--r-- | it87spi.c | 4 | ||||
| -rw-r--r-- | sb600spi.c | 10 | ||||
| -rw-r--r-- | spi.h | 1 | ||||
| -rw-r--r-- | wbsio_spi.c | 3 |
6 files changed, 23 insertions, 11 deletions
diff --git a/ft2232_spi.c b/ft2232_spi.c index 8e6e836c..5d229b3c 100644 --- a/ft2232_spi.c +++ b/ft2232_spi.c @@ -201,6 +201,9 @@ int ft2232_spi_send_command(unsigned int writecnt, unsigned int readcnt, unsigned char port_val = 0; int i, ret = 0; + if (writecnt > 65536 || readcnt > 65536) + return SPI_INVALID_LENGTH; + buf = realloc(buf, writecnt + readcnt + 100); if (!buf) { fprintf(stderr, "Out of memory!\n"); @@ -599,10 +599,16 @@ static int run_opcode(OPCODE op, uint32_t offset, { switch (spi_controller) { case SPI_CONTROLLER_VIA: + if (datalength > 16) + return SPI_INVALID_LENGTH; return ich7_run_opcode(op, offset, datalength, data, 16); case SPI_CONTROLLER_ICH7: + if (datalength > 64) + return SPI_INVALID_LENGTH; return ich7_run_opcode(op, offset, datalength, data, 64); case SPI_CONTROLLER_ICH9: + if (datalength > 64) + return SPI_INVALID_LENGTH; return ich9_run_opcode(op, offset, datalength, data); default: printf_debug("%s: unsupported chipset\n", __FUNCTION__); @@ -686,6 +692,7 @@ int ich_spi_send_command(unsigned int writecnt, unsigned int readcnt, const unsigned char *writearr, unsigned char *readarr) { int a; + int result; int opcode_index = -1; const unsigned char cmd = *writearr; OPCODE *opcode; @@ -728,10 +735,10 @@ int ich_spi_send_command(unsigned int writecnt, unsigned int readcnt, count = readcnt; } - if (run_opcode(*opcode, addr, count, data) != 0) { + result = run_opcode(*opcode, addr, count, data); + if (result) { printf_debug("run OPCODE 0x%02x failed\n", opcode->opcode); - return 1; } - return 0; + return result; } @@ -170,7 +170,7 @@ int it8716f_spi_send_command(unsigned int writecnt, unsigned int readcnt, if (readcnt > 3) { printf("%s called with unsupported readcnt %i.\n", __FUNCTION__, readcnt); - return 1; + return SPI_INVALID_LENGTH; } switch (writecnt) { case 1: @@ -200,7 +200,7 @@ int it8716f_spi_send_command(unsigned int writecnt, unsigned int readcnt, default: printf("%s called with unsupported writecnt %i.\n", __FUNCTION__, writecnt); - return 1; + return SPI_INVALID_LENGTH; } /* * Start IO, 33 or 16 MHz, readcnt input bytes, writecnt output bytes. @@ -114,14 +114,14 @@ int sb600_spi_send_command(unsigned int writecnt, unsigned int readcnt, if (readcnt > 8) { printf("%s, SB600 SPI controller can not receive %d bytes, " - "which is limited with 8 bytes\n", __func__, readcnt); - return 1; + "it is limited to 8 bytes\n", __func__, readcnt); + return SPI_INVALID_LENGTH; } if (writecnt > 8) { - printf("%s, SB600 SPI controller can not sent %d bytes, " - "which is limited with 8 bytes\n", __func__, writecnt); - return 1; + printf("%s, SB600 SPI controller can not send %d bytes, " + "it is limited to 8 bytes\n", __func__, writecnt); + return SPI_INVALID_LENGTH; } mmio_writeb(cmd, sb600_spibar + 0); @@ -108,5 +108,6 @@ /* Error codes */ #define SPI_INVALID_OPCODE -2 #define SPI_INVALID_ADDRESS -3 +#define SPI_INVALID_LENGTH -4 #endif /* !__SPI_H__ */ diff --git a/wbsio_spi.c b/wbsio_spi.c index 7876198f..ded0840e 100644 --- a/wbsio_spi.c +++ b/wbsio_spi.c @@ -154,7 +154,8 @@ int wbsio_spi_send_command(unsigned int writecnt, unsigned int readcnt, if (!mode) { fprintf(stderr, "%s: unsupported command type wr=%d rd=%d\n", __func__, writecnt, readcnt); - return 1; + /* Command type refers to the number of bytes read/written. */ + return SPI_INVALID_LENGTH; } OUTB(writearr[0], wbsio_spibase); |