rpmsgblk: use a fixed length struct to transfer between two cpus

It may cause out_of_bounds when two side have different configuartion
on NAME_MAX and FS_LARGEFILE(affects size of blkcnt_t)

Signed-off-by: liaoao <liaoao@xiaomi.com>

drivers/misc/rpmsgblk.c

@@ -434,9 +434,7 @@ static int rpmsgblk_geometry(FAR struct inode *inode,
                              FAR struct geometry *geometry)
 {
   FAR struct rpmsgblk_s *priv = inode->i_private;
-  struct rpmsgblk_geometry_s *msg;
+  struct rpmsgblk_geometry_s msg;
-  uint32_t space;
-  int msglen;
   int ret;
 
   /* Sanity checks */
@@ -457,25 +455,19 @@ static int rpmsgblk_geometry(FAR struct inode *inode,
       goto out;
     }
 
-  msglen = sizeof(*msg) + sizeof(*geometry) - 1;
+  ret = rpmsgblk_send_recv(priv, RPMSGBLK_GEOMETRY, true, &msg.header,
-
+                           sizeof(msg), NULL);
-  msg = rpmsgblk_get_tx_payload_buffer(priv, &space);
-  if (msg == NULL)
-    {
-      ret = -ENOMEM;
-      goto out;
-    }
-
-  DEBUGASSERT(space > msglen);
-
-  msg->arg    = (uintptr_t)geometry;
-  msg->arglen = sizeof(*geometry);
-  memcpy(msg->buf, geometry, sizeof(*geometry));
-
-  ret = rpmsgblk_send_recv(priv, RPMSGBLK_GEOMETRY, false, &msg->header,
-                           msglen, geometry);
   if (ret >= 0)
     {
+      DEBUGASSERT(msg.nsectors == (blkcnt_t)msg.nsectors);
+      DEBUGASSERT(strlen(msg.model) <= RPMSGBLK_NAME_MAX);
+
+      geometry->geo_available = msg.available;
+      geometry->geo_mediachanged = msg.mediachanged;
+      geometry->geo_writeenabled = msg.writeenabled;
+      geometry->geo_nsectors = msg.nsectors;
+      geometry->geo_sectorsize = msg.sectorsize;
+      strlcpy(geometry->geo_model, msg.model, sizeof(geometry->geo_model));
       memcpy(&priv->geo, geometry, sizeof(priv->geo));
     }
 
@@ -520,8 +512,6 @@ static ssize_t rpmsgblk_ioctl_arglen(int cmd, unsigned long arg)
         return sizeof(struct mtd_smart_procfs_data_s);
       case BIOC_DEBUGCMD:
         return sizeof(struct mtd_smart_debug_data_s);
-      case BIOC_GEOMETRY:
-        return sizeof(struct geometry);
       case BIOC_PARTINFO:
         return sizeof(struct partition_info_s);
       case BIOC_BLKSSZGET:
@@ -586,6 +576,11 @@ static int rpmsgblk_ioctl(FAR struct inode *inode, int cmd,
 
   DEBUGASSERT(priv != NULL);
 
+  if (cmd == BIOC_GEOMETRY)
+    {
+      return rpmsgblk_geometry(inode, (FAR struct geometry *)arg);
+    }
+
   /* Call our internal routine to perform the ioctl */
 
   arglen = rpmsgblk_ioctl_arglen(cmd, arg);
@@ -895,12 +890,11 @@ static int rpmsgblk_geometry_handler(FAR struct rpmsg_endpoint *ept,
   FAR struct rpmsgblk_header_s *header = data;
   FAR struct rpmsgblk_cookie_s *cookie =
       (FAR struct rpmsgblk_cookie_s *)(uintptr_t)header->cookie;
-  FAR struct rpmsgblk_geometry_s *rsp = data;
 
   cookie->result = header->result;
-  if (cookie->result >= 0 && rsp->arglen > 0)
+  if (cookie->result >= 0)
     {
-      memcpy(cookie->data, rsp->buf, rsp->arglen);
+      memcpy(cookie->data, data, len);
     }
 
   return rpmsg_post(ept, &cookie->sem);

drivers/misc/rpmsgblk.h

@@ -35,6 +35,7 @@
 
 #define RPMSGBLK_NAME_PREFIX     "rpmsgblk-"
 #define RPMSGBLK_NAME_PREFIX_LEN 9
+#define RPMSGBLK_NAME_MAX        32
 
 #define RPMSGBLK_OPEN            1
 #define RPMSGBLK_CLOSE           2
@@ -76,9 +77,12 @@ begin_packed_struct struct rpmsgblk_read_s
 begin_packed_struct struct rpmsgblk_geometry_s
 {
   struct rpmsgblk_header_s header;
-  uint64_t                 arg;
+  uint16_t                 available;
-  uint32_t                 arglen;
+  uint16_t                 mediachanged;
-  char                     buf[1];
+  uint16_t                 writeenabled;
+  uint16_t                 sectorsize;
+  uint64_t                 nsectors;
+  char                     model[RPMSGBLK_NAME_MAX + 1];
 } end_packed_struct;
 
 begin_packed_struct struct rpmsgblk_ioctl_s
@@ -90,11 +94,6 @@ begin_packed_struct struct rpmsgblk_ioctl_s
   char                     buf[1];
 } end_packed_struct;
 
-begin_packed_struct struct rpmsgblk_unlink_s
-{
-  struct rpmsgblk_header_s header;
-} end_packed_struct;
-
 /****************************************************************************
  * Internal function prototypes
  ****************************************************************************/

drivers/misc/rpmsgblk_server.c

@@ -287,6 +287,7 @@ static int rpmsgblk_geometry_handler(FAR struct rpmsg_endpoint *ept,
 {
   FAR struct rpmsgblk_server_s *server = ept->priv;
   FAR struct rpmsgblk_geometry_s *msg = data;
+  struct geometry geo;
 
 #ifndef CONFIG_DISABLE_PSEUDOFS_OPERATIONS
   if (server->blknode->i_peer == NULL)
@@ -296,10 +297,16 @@ static int rpmsgblk_geometry_handler(FAR struct rpmsg_endpoint *ept,
     }
 #endif
 
-  DEBUGASSERT(msg->arglen == sizeof(struct geometry));
+  msg->header.result = server->bops->geometry(server->blknode, &geo);
 
-  msg->header.result = server->bops->geometry(
+  DEBUGASSERT(strlen(geo.geo_model) <= RPMSGBLK_NAME_MAX);
-    server->blknode, (FAR struct geometry *)msg->buf);
+
+  msg->available = geo.geo_available;
+  msg->mediachanged = geo.geo_mediachanged;
+  msg->writeenabled = geo.geo_writeenabled;
+  msg->nsectors = geo.geo_nsectors;
+  msg->sectorsize = geo.geo_sectorsize;
+  strlcpy(msg->model, geo.geo_model, sizeof(msg->model));
 
   return rpmsg_send(ept, msg, len);
 }