If bytes is larger than EC_MEMMAP_SIZE (255) then "EC_MEMMAP_SIZE -
bytes" is a very high unsigned value and basically offset is
accepted. The second problem is that it uses >= instead of > so this
means that we are not able to read the very last byte.
Fixes: ec2f33ab582b ("platform/chrome: Add cros_ec_lpc driver for x86 devices")
Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
---
drivers/platform/chrome/cros_ec_lpc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/chrome/cros_ec_lpc.c b/drivers/platform/chrome/cros_ec_lpc.c
index d6306d2a096f..7e1d175def9f 100644
--- a/drivers/platform/chrome/cros_ec_lpc.c
+++ b/drivers/platform/chrome/cros_ec_lpc.c
@@ -290,7 +290,8 @@ static int cros_ec_lpc_readmem(struct cros_ec_device *ec, unsigned int offset,
char *s = dest;
int cnt = 0;
- if (offset >= EC_MEMMAP_SIZE - bytes)
+ if (offset > EC_MEMMAP_SIZE ||
+ bytes > EC_MEMMAP_SIZE - offset)
return -EINVAL;
/* fixed length */
--
2.20.1
