[dev][sdmmc] Fix missized buffer and missing returns
Fix two problems:
1) The sdmmc_query function was reporting the wrong struct size, causing
transaction structs to be incorrectly sized. With a small change to the
struct, this could easily turn into a buffer overrun when accessing the
transaction structure.
2) Two early-return cases were missing returns, potentially causing two
completion callback invocations in those cases.
ZX-1851 #done
Change-Id: I35c0cbd46f223f648799e65da5801775210cb6fc
diff --git a/system/dev/block/sdmmc/sdmmc.c b/system/dev/block/sdmmc/sdmmc.c
index 7d25e74..5013f65 100644
--- a/system/dev/block/sdmmc/sdmmc.c
+++ b/system/dev/block/sdmmc/sdmmc.c
@@ -166,7 +166,7 @@
static void sdmmc_query(void* ctx, block_info_t* info_out, size_t* block_op_size_out) {
sdmmc_device_t* dev = ctx;
memcpy(info_out, &dev->block_info, sizeof(*info_out));
- *block_op_size_out = sizeof(sdmmc_req_t);
+ *block_op_size_out = sizeof(sdmmc_txn_t);
}
static void sdmmc_queue(void* ctx, block_op_t* btxn) {
@@ -179,9 +179,11 @@
uint64_t max = dev->block_info.block_count;
if ((btxn->rw.offset_dev >= max) || ((max - btxn->rw.offset_dev) < btxn->rw.length)) {
block_complete(btxn, ZX_ERR_OUT_OF_RANGE);
+ return;
}
if (btxn->rw.length == 0) {
block_complete(btxn, ZX_OK);
+ return;
}
break;
}
