From: Johan Hovold <johan@hovoldconsulting.com>
Date: Wed, 24 Feb 2016 15:11:50 +0000 (+0100)
Subject: greybus: uart: add missing serial-state sanity check
X-Git-Tag: v4.9.8~1233^2~378^2~21^2~653
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=cb7f00ba5f581ca2f0848dd2ed77f1b9d793c648;p=platform%2Fkernel%2Flinux-rpi3.git

greybus: uart: add missing serial-state sanity check

Add dedicated serial-state request handler and add the missing sanity
check on the incoming request.

Reviewed-by: Rui Miguel Silva <rui.silva@linaro.org>
Signed-off-by: Johan Hovold <johan@hovoldconsulting.com>
Reviewed-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
---

diff --git a/drivers/staging/greybus/uart.c b/drivers/staging/greybus/uart.c
index 60617cb..c09a76b 100644
--- a/drivers/staging/greybus/uart.c
+++ b/drivers/staging/greybus/uart.c
@@ -103,13 +103,32 @@ static int gb_uart_receive_data(struct gb_tty *gb_tty,
 	return 0;
 }
 
-static int gb_uart_request_recv(u8 type, struct gb_operation *op)
+static int gb_uart_serial_state_handler(struct gb_operation *op)
 {
 	struct gb_connection *connection = op->connection;
 	struct gb_tty *gb_tty = connection->private;
 	struct gb_message *request = op->request;
 	struct gb_uart_serial_state_request *serial_state;
-	int ret = 0;
+
+	if (request->payload_size < sizeof(*serial_state)) {
+		dev_err(&connection->bundle->dev,
+				"short serial-state event received (%zu < %zu)\n",
+				request->payload_size, sizeof(*serial_state));
+		return -EINVAL;
+	}
+
+	serial_state = request->payload;
+	gb_tty->ctrlin = serial_state->control;
+
+	return 0;
+}
+
+static int gb_uart_request_recv(u8 type, struct gb_operation *op)
+{
+	struct gb_connection *connection = op->connection;
+	struct gb_tty *gb_tty = connection->private;
+	struct gb_message *request = op->request;
+	int ret;
 
 	switch (type) {
 	case GB_UART_TYPE_RECEIVE_DATA:
@@ -117,8 +136,7 @@ static int gb_uart_request_recv(u8 type, struct gb_operation *op)
 					   request->payload);
 		break;
 	case GB_UART_TYPE_SERIAL_STATE:
-		serial_state = request->payload;
-		gb_tty->ctrlin = serial_state->control;
+		ret = gb_uart_serial_state_handler(op);
 		break;
 	default:
 		dev_err(&connection->bundle->dev,