On 8/22/21 6:58 PM, Martin Kaiser wrote:
Hi Michael,
Thus wrote Michael Straube (straube.linux@xxxxxxxxx):
On 8/21/21 6:48 PM, Martin Kaiser wrote:
Remove unnecessary variables, check the length.
Signed-off-by: Martin Kaiser <martin@xxxxxxxxx>
---
drivers/staging/r8188eu/hal/usb_ops_linux.c | 15 +++++----------
1 file changed, 5 insertions(+), 10 deletions(-)
diff --git a/drivers/staging/r8188eu/hal/usb_ops_linux.c b/drivers/staging/r8188eu/hal/usb_ops_linux.c
index e01f1ac19596..5408383ccec3 100644
--- a/drivers/staging/r8188eu/hal/usb_ops_linux.c
+++ b/drivers/staging/r8188eu/hal/usb_ops_linux.c
@@ -151,20 +151,15 @@ static int usb_write32(struct intf_hdl *pintfhdl, u32 addr, u32 val)
static int usb_writeN(struct intf_hdl *pintfhdl, u32 addr, u32 length, u8 *pdata)
{
- u16 wvalue;
- u16 len;
+ u16 wvalue = (u16)(addr & 0x0000ffff);
u8 buf[VENDOR_CMD_MAX_DATA_LEN] = {0};
- int ret;
-
+ if (length > VENDOR_CMD_MAX_DATA_LEN)
+ return -EINVAL;
- wvalue = (u16)(addr & 0x0000ffff);
- len = length;
- memcpy(buf, pdata, len);
+ memcpy(buf, pdata, length);
Hi Martin, shouldn't this be
memcpy(buf, pdata, (length & 0xffff));
I don't think this makes any difference. I've already checked that
length <= VENDOR_CMD_MAX_DATA_LEN, which is 254. memcpy takes a size_t
parameter for the number of bytes to copy. length will not overflow
this.
Best regards,
Martin
Hi Martin,
ah, I see now. You are right.
Acked-by: Michael Straube <straube.linux@xxxxxxxxx>
Thanks,
Michael
