N210: Additional checks on both the host and firmware sides of the firmware updater.

1 files changed, 9 insertions, 1 deletions

diff --git a/firmware/zpu/usrp2p/spi_flash.c b/firmware/zpu/usrp2p/spi_flash.c
index 25fc239be..2033b8035 100644
--- a/firmware/zpu/usrp2p/spi_flash.c
+++ b/firmware/zpu/usrp2p/spi_flash.c
@@ -51,6 +51,8 @@ void
 spi_flash_erase_sector_start(uint32_t flash_addr)
 {
   //uprintf(UART_DEBUG, "spi_flash_erase_sector_start: addr = 0x%x\n", flash_addr);
+  if(flash_addr > spi_flash_memory_size())
+    return;
 
   spi_flash_wait();
   spi_flash_write_enable();
@@ -65,6 +67,10 @@ spi_flash_page_program_start(uint32_t flash_addr, size_t nbytes, const void *buf
   if (nbytes == 0 || nbytes > SPI_FLASH_PAGE_SIZE)
     return false;
 
+  //please to not be writing past the end of the device
+  if ((flash_addr + nbytes) > spi_flash_memory_size())
+    return false;
+
   uint32_t local_buf[SPI_FLASH_PAGE_SIZE / sizeof(uint32_t)];
   memset(local_buf, 0xff, sizeof(local_buf));	// init to 0xff (nops when programming)
   memcpy(local_buf, buf, nbytes);
@@ -130,6 +136,8 @@ spi_flash_program(uint32_t flash_addr, size_t nbytes, const void *buf)
   const unsigned char *p = (const unsigned char *) buf;
   size_t n;
 
+  if ((nbytes + flash_addr) > spi_flash_memory_size())
+    return false;
   if (nbytes == 0)
     return true;
 
@@ -158,7 +166,7 @@ void
 spi_flash_async_erase_start(spi_flash_async_state_t *s,
 			    uint32_t flash_addr, size_t nbytes)
 {
-  if (nbytes == 0){
+  if ((nbytes == 0) || ((flash_addr + nbytes) > spi_flash_memory_size())){
     s->first = s->last = s->current = 0;
     return;
   }