V4L/DVB (12755): af9015: improve usb control message function slightly

* define names for few values * decrease buffer len by one byte which was not used * add check for buffer overflow for sure * indentation fixes * remove useless 0 len check from memcpy It should not happen and if it happens memcpy should not do anything. Signed-off-by: Antti Palosaari <crope@iki.fi> Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com>
author: Antti Palosaari <crope@iki.fi> 2009-09-12 19:46:30 -0400
committer: Mauro Carvalho Chehab <mchehab@redhat.com> 2009-09-18 22:47:53 -0400
commit: 06565d7a4231b77a1181f5b853b076f374535649 (patch)
tree: 95358577cafb9a366fb1b3b3694e26df975793d1
parent: 9c863278097a4905a78ee0d70d417641aecfac2e (diff)
1 files changed, 24 insertions, 8 deletions
diff --git a/drivers/media/dvb/dvb-usb/af9015.c b/drivers/media/dvb/dvb-usb/af9015.c
index fdfa0f54291c..ebb9981eb89e 100644
--- a/drivers/media/dvb/dvb-usb/af9015.c
+++ b/drivers/media/dvb/dvb-usb/af9015.c
@@ -61,10 +61,13 @@ static struct af9013_config af9015_af9013_config[] = {
 static int af9015_rw_udev(struct usb_device *udev, struct req_t *req)
 {
+#define BUF_LEN 63
+#define REQ_HDR_LEN 8 /* send header size */
+#define ACK_HDR_LEN 2 /* rece header size */
        int act_len, ret;
-        u8 buf[64];
+        u8 buf[BUF_LEN];
        u8 write = 1;
-        u8 msg_len = 8;
+        u8 msg_len = REQ_HDR_LEN;
        static u8 seq; /* packet sequence number */
        if (mutex_lock_interruptible(&af9015_usb_mutex) < 0)
@@ -107,17 +110,26 @@ static int af9015_rw_udev(struct usb_device *udev, struct req_t *req)
                goto error_unlock;
        }
+        /* buffer overflow check */
+        if ((write && (req->data_len > BUF_LEN - REQ_HDR_LEN)) ||
+                (!write && (req->data_len > BUF_LEN - ACK_HDR_LEN))) {
+                err("too much data; cmd:%d len:%d", req->cmd, req->data_len);
+                ret = -EINVAL;
+                goto error_unlock;
+        }
        /* write requested */
        if (write) {
-                memcpy(&buf[8], req->data, req->data_len);
+                memcpy(&buf[REQ_HDR_LEN], req->data, req->data_len);
                msg_len += req->data_len;
        }
        deb_xfer(">>> ");
        debug_dump(buf, msg_len, deb_xfer);
        /* send req */
        ret = usb_bulk_msg(udev, usb_sndbulkpipe(udev, 0x02), buf, msg_len,
-        &act_len, AF9015_USB_TIMEOUT);
+                &act_len, AF9015_USB_TIMEOUT);
        if (ret)
                err("bulk message failed:%d (%d/%d)", ret, msg_len, act_len);
        else
@@ -130,10 +142,14 @@ static int af9015_rw_udev(struct usb_device *udev, struct req_t *req)
        if (req->cmd == DOWNLOAD_FIRMWARE || req->cmd == RECONNECT_USB)
                goto exit_unlock;
-        /* receive ack and data if read req */
+        /* write receives seq + status = 2 bytes
-        msg_len = 1 + 1 + req->data_len;  /* seq + status + data len */
+           read receives seq + status + data = 2 + N bytes */
+        msg_len = ACK_HDR_LEN;
+        if (!write)
+                msg_len += req->data_len;
        ret = usb_bulk_msg(udev, usb_rcvbulkpipe(udev, 0x81), buf, msg_len,
-                           &act_len, AF9015_USB_TIMEOUT);
+                &act_len, AF9015_USB_TIMEOUT);
        if (ret) {
                err("recv bulk message failed:%d", ret);
                ret = -1;
@@ -159,7 +175,7 @@ static int af9015_rw_udev(struct usb_device *udev, struct req_t *req)
        /* read request, copy returned data to return buf */
        if (!write)
-                memcpy(req->data, &buf[2], req->data_len);
+                memcpy(req->data, &buf[ACK_HDR_LEN], req->data_len);
 error_unlock:
 exit_unlock:
author	Antti Palosaari <crope@iki.fi>	2009-09-12 19:46:30 -0400
committer	Mauro Carvalho Chehab <mchehab@redhat.com>	2009-09-18 22:47:53 -0400
commit	06565d7a4231b77a1181f5b853b076f374535649 (patch)
tree	95358577cafb9a366fb1b3b3694e26df975793d1
parent	9c863278097a4905a78ee0d70d417641aecfac2e (diff)