From d0ee126b4cdc368c36ae6660d66fed1524476e59 Mon Sep 17 00:00:00 2001 From: Vadim Bendebury Date: Thu, 1 Jun 2017 21:43:29 -0700 Subject: [PATCH] cr50: usb_upgrade: pass proper number of bytes to the vendor commands The code invoking vendor commands callbacks rightly passes the pointer to the command payload as the address right after the subcommand field, but does not deduct the size of the subcommand field from the size of the payload passed to the handler. This patch fixes the issue, the command handlers do not see two extra bytes at the tail of the command any more. BRANCH=cr50 BUG=b:62294740, b:35545754 TEST=verified that vendor commands sent over USB and TPM still work properly (in particular the TURN_UPDATE_ON command). Change-Id: I11a45f65163044f808a82b214f9c5faf775f9020 Signed-off-by: Vadim Bendebury Reviewed-on: https://chromium-review.googlesource.com/522943 Reviewed-by: Aseda Aboagye --- chip/g/usb_upgrade.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/chip/g/usb_upgrade.c b/chip/g/usb_upgrade.c index 1379e38c1d..ff1e7f4048 100644 --- a/chip/g/usb_upgrade.c +++ b/chip/g/usb_upgrade.c @@ -144,6 +144,7 @@ static int try_vendor_command(struct consumer const *consumer, size_t count) count - offsetof(struct update_frame_header, cmd))) { uint16_t *subcommand; size_t response_size; + size_t request_size; /* looks good, let's process it. */ rv = 1; @@ -152,10 +153,12 @@ static int try_vendor_command(struct consumer const *consumer, size_t count) queue_advance_head(consumer->queue, count); subcommand = (uint16_t *)(cmd_buffer + 1); + request_size = count - sizeof(struct update_frame_header) - + sizeof(*subcommand); + usb_extension_route_command(be16toh(*subcommand), subcommand + 1, - count - - sizeof(struct update_frame_header), + request_size, &response_size); QUEUE_ADD_UNITS(&upgrade_to_usb, subcommand + 1, response_size);