rtc: remove VLA usage

In preparation to enabling -Wvla, remove VLA and replace it
with a fixed-length array instead.

>From a security viewpoint, the use of Variable Length Arrays can be
a vector for stack overflow attacks. Also, in general, as the code
evolves it is easy to lose track of how big a VLA can get. Thus, we
can end up having segfaults that are hard to debug.

Also, fixed as part of the directive to remove all VLAs from
the kernel: https://lkml.org/lkml/2018/3/7/621

Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>

diff --git a/drivers/rtc/rtc-bq32k.c b/drivers/rtc/rtc-bq32k.c
index e8698e9..ef52741 100644 (file)
--- a/drivers/rtc/rtc-bq32k.c
+++ b/drivers/rtc/rtc-bq32k.c
@@ -36,6 +36,10 @@
 #define BQ32K_CFG2             0x09    /* Trickle charger control */
 #define BQ32K_TCFE             BIT(6)  /* Trickle charge FET bypass */
 
+#define MAX_LEN                        10      /* Maximum number of consecutive
+                                        * register for this particular RTC.
+                                        */
+
 struct bq32k_regs {
        uint8_t         seconds;
        uint8_t         minutes;
@@ -74,7 +78,7 @@ static int bq32k_read(struct device *dev, void *data, uint8_t off, uint8_t len)
 static int bq32k_write(struct device *dev, void *data, uint8_t off, uint8_t len)
 {
        struct i2c_client *client = to_i2c_client(dev);
-       uint8_t buffer[len + 1];
+       uint8_t buffer[MAX_LEN + 1];
 
        buffer[0] = off;
        memcpy(&buffer[1], data, len);

diff --git a/drivers/rtc/rtc-mcp795.c b/drivers/rtc/rtc-mcp795.c
index 79e24ea..00e11c1 100644 (file)
--- a/drivers/rtc/rtc-mcp795.c
+++ b/drivers/rtc/rtc-mcp795.c
@@ -82,7 +82,7 @@ static int mcp795_rtcc_write(struct device *dev, u8 addr, u8 *data, u8 count)
 {
        struct spi_device *spi = to_spi_device(dev);
        int ret;
-       u8 tx[2 + count];
+       u8 tx[257];
 
        tx[0] = MCP795_WRITE;
        tx[1] = addr;