mfd: rave-sp: Remove VLA
authorKyle Spiers <ksspiers@google.com>
Fri, 27 Apr 2018 22:30:23 +0000 (15:30 -0700)
committerLee Jones <lee.jones@linaro.org>
Wed, 16 May 2018 08:21:48 +0000 (09:21 +0100)
As part of the effort to remove VLAs from the kernel[1], this creates
constants for the checksum lengths of CCITT and 8B2C and changes
crc_calculated to be the maximum size of a checksum.

https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Kyle Spiers <ksspiers@google.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
drivers/mfd/rave-sp.c

index cb0cc9d509a02fcbbaaa5020210a6a7cd97b9ee1..36dcd98977d6da6add1075b19376fe8ab562e936 100644 (file)
@@ -45,7 +45,9 @@
 #define RAVE_SP_DLE                    0x10
 
 #define RAVE_SP_MAX_DATA_SIZE          64
-#define RAVE_SP_CHECKSUM_SIZE          2  /* Worst case scenario on RDU2 */
+#define RAVE_SP_CHECKSUM_8B2C          1
+#define RAVE_SP_CHECKSUM_CCITT         2
+#define RAVE_SP_CHECKSUM_SIZE          RAVE_SP_CHECKSUM_CCITT
 /*
  * We don't store STX, ETX and unescaped bytes, so Rx is only
  * DATA + CSUM
@@ -449,7 +451,12 @@ static void rave_sp_receive_frame(struct rave_sp *sp,
        const size_t payload_length  = length - checksum_length;
        const u8 *crc_reported       = &data[payload_length];
        struct device *dev           = &sp->serdev->dev;
-       u8 crc_calculated[checksum_length];
+       u8 crc_calculated[RAVE_SP_CHECKSUM_SIZE];
+
+       if (unlikely(checksum_length > sizeof(crc_calculated))) {
+               dev_warn(dev, "Checksum too long, dropping\n");
+               return;
+       }
 
        print_hex_dump_debug("rave-sp rx: ", DUMP_PREFIX_NONE,
                             16, 1, data, length, false);