cros_ec: sandbox: Use correct value for number of slots

In the definition of struct ec_state the number of slots that are
created is VSTORE_SLOT_COUNT (==4) but the value of req->slot is
checked against EC_VSTORE_SLOT_MAX (==32) so this can lead to memory
access beyond that allocated.
Instead change the size check to use VSTORE_SLOT_COUNT to ensure it
matches what has actually been allocated.

This issue found by Smatch.

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>

diff --git a/drivers/misc/cros_ec_sandbox.c b/drivers/misc/cros_ec_sandbox.c
index 3ac690a3733695105290aca7c87235fe0d13dbd1..432b1fbb0c485d8a99d8336462fddad536a95e0a 100644 (file)
--- a/drivers/misc/cros_ec_sandbox.c
+++ b/drivers/misc/cros_ec_sandbox.c
@@ -540,7 +540,7 @@ static int process_cmd(struct ec_state *ec,
                const struct ec_params_vstore_write *req = req_data;
                struct vstore_slot *slot;
 
-               if (req->slot >= EC_VSTORE_SLOT_MAX)
+               if (req->slot >= VSTORE_SLOT_COUNT)
                        return -EINVAL;
                slot = &ec->slot[req->slot];
                slot->locked = true;
@@ -553,7 +553,7 @@ static int process_cmd(struct ec_state *ec,
                struct ec_response_vstore_read *resp = resp_data;
                struct vstore_slot *slot;
 
-               if (req->slot >= EC_VSTORE_SLOT_MAX)
+               if (req->slot >= VSTORE_SLOT_COUNT)
                        return -EINVAL;
                slot = &ec->slot[req->slot];
                memcpy(resp->data, slot->data, EC_VSTORE_SLOT_SIZE);