mfd: rave-sp: Check received frame length before accepting next byte

Check received frame length _before_ accepting next byte in order to
avoid incorrectly rejecting payloads that are RAVE_SP_RX_BUFFER_SIZE
long.

Signed-off-by: Andrey Smirnov <andrew.smirnov@gmail.com>
Tested-by: Lucas Stach <l.stach@pengutronix.de>
Signed-off-by: Lee Jones <lee.jones@linaro.org>

diff --git a/drivers/mfd/rave-sp.c b/drivers/mfd/rave-sp.c
index b70416050a81aa7b3c4d0a14e49a88a6e8c24083..cb0cc9d509a02fcbbaaa5020210a6a7cd97b9ee1 100644 (file)
--- a/drivers/mfd/rave-sp.c
+++ b/drivers/mfd/rave-sp.c
@@ -546,8 +546,6 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
                        /* FALLTHROUGH */
 
                case RAVE_SP_EXPECT_ESCAPED_DATA:
-                       deframer->data[deframer->length++] = byte;
-
                        if (deframer->length == sizeof(deframer->data)) {
                                dev_warn(dev, "Bad frame: Too long\n");
                                /*
@@ -562,6 +560,8 @@ static int rave_sp_receive_buf(struct serdev_device *serdev,
                                goto reset_framer;
                        }
 
+                       deframer->data[deframer->length++] = byte;
+
                        /*
                         * We've extracted out special byte, now we
                         * can go back to regular data collecting