HarryMorris
commented
7 years ago You're absolutely right, I've pushed a commit to fix this problem:
if (len > CA8210_SPI_BUF_SIZE) {
dev_crit(
&priv->spi->dev,
"Received packet len (%d) erroneously long\n",
len
);
memset(
priv->cas_ctl.rx_final_buf,
SPI_IDLE,
CA8210_SPI_BUF_SIZE
);
spin_unlock_irqrestore(&priv->lock, flags);
return;
}Having never seen this occur I hadn't thought about safe recovery. Thanks for spotting it!
In the function ca8210_rx_done(), there is a check to see if the received packet is greater than the buffer that we have to hold the received packet, uint8_t buf[CA8210_SPI_BUF_SIZE]; if(len > CA8210_SPI_BUF_SIZE) {debug message} memcpy(buf,rx_final_buf,len);
Wont the above code cause memory corruption because buf cannot hold more than CA8210_SPI_BUF_SIZE ?