From c7b269ace1bbe07d5db7a562bb9242f4be32be67 Mon Sep 17 00:00:00 2001
From: Antonio Borneo <borneo.antonio@gmail.com>
Date: Fri, 16 Apr 2010 01:17:01 +0800
Subject: NOR/CFI: check "flash bank" command arguments

Arguments chip_width and bus_width of command "flash bank" are
not fully checked.
While bus_width is later on redundantly checked in several other
parts (e.g. in cfi_command_val()) and generates run-time error,
chip_width is never checked, nor related to actual bus_width
value.
Added check to avoid:
- (chip_width == 0), that would mean no memory chip at all,
  avoiding also division by zero e.g. in cfi_get_u8();
- (bus_width == 0), that would mean no bus at all;
- unsupported cases of chip_width or bus_width value not power
  of 2;
- unsupported case of chip width wider than bus.

Signed-off-by: Antonio Borneo <borneo.antonio@gmail.com>
---
 src/flash/nor/cfi.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'src/flash/nor')

diff --git a/src/flash/nor/cfi.c b/src/flash/nor/cfi.c
index 2235c85c..ba2d9095 100644
--- a/src/flash/nor/cfi.c
+++ b/src/flash/nor/cfi.c
@@ -624,8 +624,18 @@ FLASH_BANK_COMMAND_HANDLER(cfi_flash_bank_command)
 		return ERROR_FLASH_BANK_INVALID;
 	}
 
+	/* both widths must:
+	 * - not exceed max value;
+	 * - not be null;
+	 * - be equal to a power of 2.
+	 * bus must be wide enought to hold one chip */
 	if ((bank->chip_width > CFI_MAX_CHIP_WIDTH)
-			|| (bank->bus_width > CFI_MAX_BUS_WIDTH))
+			|| (bank->bus_width > CFI_MAX_BUS_WIDTH)
+			|| (bank->chip_width == 0)
+			|| (bank->bus_width == 0)
+			|| (bank->chip_width & (bank->chip_width - 1))
+			|| (bank->bus_width & (bank->bus_width - 1))
+			|| (bank->chip_width > bank->bus_width))
 	{
 		LOG_ERROR("chip and bus width have to specified in bytes");
 		return ERROR_FLASH_BANK_INVALID;
-- 
cgit v1.2.3