tcpc: fix rx buffer overrun bug

Fix buffer overrun bug when retrieving a PD message. Bug was introduced in CL:289005 BUG=chrome-os-partner:43482 BRANCH=none TEST=tested on samus. plug and unplug zinger on both ports and make sure PD MCU never crashes. Change-Id: I9d2dec0cab07f389fd935d616ab7443da412d4bd Signed-off-by: Alec Berg <alecaberg@chromium.org> Reviewed-on: https://chromium-review.googlesource.com/290417 Reviewed-by: Shawn N <shawnn@chromium.org>
author: Alec Berg <alecaberg@chromium.org> 2015-08-04 10:31:31 -0700
committer: ChromeOS Commit Bot <chromeos-commit-bot@chromium.org> 2015-08-04 20:50:36 +0000
commit: 6132b4fbc0590f8ea3f36649a77d36d28b92a95c (patch)
tree: 38d630b09e8f2a3ff7dc510cb98d62c1f87f5f7e
parent: e8720732b5caea3428bf255a9f96b7b166c7ac84 (diff)
download: chrome-ec-6132b4fbc0590f8ea3f36649a77d36d28b92a95c.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/common/usb_pd_tcpc.c b/common/usb_pd_tcpc.c
index c899065b42..d7314b1a53 100644
--- a/common/usb_pd_tcpc.c
+++ b/common/usb_pd_tcpc.c
@@ -1002,8 +1002,12 @@ int tcpc_set_msg_header(int port, int power_role, int data_role)
 
 int tcpc_get_message(int port, uint32_t *payload, int *head)
 {
-	memcpy(payload, pd[port].rx_payload, sizeof(pd[port].rx_payload));
-	*head = pd[port].rx_head[pd[port].rx_buf_tail];
+	/* Get message at tail of RX buffer */
+	int idx = pd[port].rx_buf_tail;
+
+	memcpy(payload, pd[port].rx_payload[idx],
+	       sizeof(pd[port].rx_payload[idx]));
+	*head = pd[port].rx_head[idx];
 	return EC_SUCCESS;
 }
author	Alec Berg <alecaberg@chromium.org>	2015-08-04 10:31:31 -0700
committer	ChromeOS Commit Bot <chromeos-commit-bot@chromium.org>	2015-08-04 20:50:36 +0000
commit	6132b4fbc0590f8ea3f36649a77d36d28b92a95c (patch)
tree	38d630b09e8f2a3ff7dc510cb98d62c1f87f5f7e
parent	e8720732b5caea3428bf255a9f96b7b166c7ac84 (diff)
download	chrome-ec-6132b4fbc0590f8ea3f36649a77d36d28b92a95c.tar.gz