Nico Huber has submitted this change and it was merged. ( https://review.coreboot.org/c/flashrom/+/33614 )
Change subject: dediprog: Bail out on unsupported, long transfers ......................................................................
dediprog: Bail out on unsupported, long transfers
Change-Id: I7b16701597909c015f98199e73ebb7d923f2b072 Signed-off-by: Nico Huber nico.h@gmx.de Reviewed-on: https://review.coreboot.org/c/flashrom/+/33614 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: David Hendricks david.hendricks@gmail.com Reviewed-by: Ryan O'Leary Reviewed-by: ron minnich rminnich@gmail.com --- M dediprog.c 1 file changed, 9 insertions(+), 1 deletion(-)
Approvals: build bot (Jenkins): Verified David Hendricks: Looks good to me, approved ron minnich: Looks good to me, approved Ryan O'Leary: Looks good to me, but someone else must approve
diff --git a/dediprog.c b/dediprog.c index 8552a3c..8029b64 100644 --- a/dediprog.c +++ b/dediprog.c @@ -362,7 +362,15 @@
static int prepare_rw_cmd( struct flashctx *const flash, uint8_t *data_packet, unsigned int count, - uint8_t dedi_spi_cmd, unsigned int *value, unsigned int *idx, unsigned int start, int is_read) { + uint8_t dedi_spi_cmd, unsigned int *value, unsigned int *idx, unsigned int start, int is_read) +{ + if (count >= 1 << 16) { + msg_perr("%s: Unsupported transfer length of %u blocks! " + "Please report a bug at flashrom@flashrom.org\n", + __func__, count); + return 1; + } + /* First 5 bytes are common in both generations. */ data_packet[0] = count & 0xff; data_packet[1] = (count >> 8) & 0xff;