Hi Michael,
Thus wrote Michael Straube (straube.linux@xxxxxxxxx):
> On 8/21/21 6:48 PM, Martin Kaiser wrote:
> > Remove unnecessary variables, check the length.
> > Signed-off-by: Martin Kaiser <martin@xxxxxxxxx>
> > ---
> > drivers/staging/r8188eu/hal/usb_ops_linux.c | 15 +++++----------
> > 1 file changed, 5 insertions(+), 10 deletions(-)
> > diff --git a/drivers/staging/r8188eu/hal/usb_ops_linux.c b/drivers/staging/r8188eu/hal/usb_ops_linux.c
> > index e01f1ac19596..5408383ccec3 100644
> > --- a/drivers/staging/r8188eu/hal/usb_ops_linux.c
> > +++ b/drivers/staging/r8188eu/hal/usb_ops_linux.c
> > @@ -151,20 +151,15 @@ static int usb_write32(struct intf_hdl *pintfhdl, u32 addr, u32 val)
> > static int usb_writeN(struct intf_hdl *pintfhdl, u32 addr, u32 length, u8 *pdata)
> > {
> > - u16 wvalue;
> > - u16 len;
> > + u16 wvalue = (u16)(addr & 0x0000ffff);
> > u8 buf[VENDOR_CMD_MAX_DATA_LEN] = {0};
> > - int ret;
> > -
> > + if (length > VENDOR_CMD_MAX_DATA_LEN)
> > + return -EINVAL;
> > - wvalue = (u16)(addr & 0x0000ffff);
> > - len = length;
> > - memcpy(buf, pdata, len);
> > + memcpy(buf, pdata, length);
> Hi Martin, shouldn't this be
> memcpy(buf, pdata, (length & 0xffff));
I don't think this makes any difference. I've already checked that
length <= VENDOR_CMD_MAX_DATA_LEN, which is 254. memcpy takes a size_t
parameter for the number of bytes to copy. length will not overflow
this.
Best regards,
Martin
