2020-03-28 16:44:29

by George Spelvin

[permalink] [raw]
Subject: [RFC PATCH v1 35/50] USB: serial: iuu_phoenix: Use pseudorandom for xmas mode

I also fixed a couple of buffer overrun bugs in iuu_led_activity_on,
based on code not expecting the "*buf_ptr++" to have been incremented.

- In xmas mode, the final setting of the period byte to 1 was
done to buf_ptr[7], which was past the end of the buffer.
- In non-xmas mode, iuu_rgbf_fill_buffer() fills in 8 bytes starting
with the IUU_SET_LED command. The net result is duplicating the
command and writing an extra byte off the end of the buffer.

I rewrote the code to omit the ++, which is more legible.

Not tested because I don't have the hardware, but I don't think
this code has been exercised much anyway.

Signed-off-by: George Spelvin <[email protected]>
Cc: Johan Hovold <[email protected]>
---
drivers/usb/serial/iuu_phoenix.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/drivers/usb/serial/iuu_phoenix.c b/drivers/usb/serial/iuu_phoenix.c
index d5bff69b1769b..7aeea7b5ba8db 100644
--- a/drivers/usb/serial/iuu_phoenix.c
+++ b/drivers/usb/serial/iuu_phoenix.c
@@ -353,10 +353,11 @@ static void iuu_led_activity_on(struct urb *urb)
struct usb_serial_port *port = urb->context;
int result;
char *buf_ptr = port->write_urb->transfer_buffer;
- *buf_ptr++ = IUU_SET_LED;
+
if (xmas) {
- get_random_bytes(buf_ptr, 6);
- *(buf_ptr+7) = 1;
+ buf_ptr[0] = IUU_SET_LED;
+ prandom_bytes(buf_ptr+1, 6);
+ buf_ptr[7] = 1;
} else {
iuu_rgbf_fill_buffer(buf_ptr, 255, 255, 0, 0, 0, 0, 255);
}
--
2.26.0