[U-Boot] [PATCH v2 16/23] mmc: Fix incorrect handling of 'read' & 'write' commands

[Simon Glass]

From: Taylor Hutt <thutt at chromium.org>

If a malformed 'read' or 'write' command is issued, the Sandbox U-Boot
can crash because the command-handling code does no error checking on
the number of provided arguments.

This change makes the mmc 'erase', 'read' and 'write' commands only
function if the proper number of arguments are supplied.

Also puts the else assignment at the beginning fo the if() statement
to shortens the generated code.  This removes an unnecessary jump from
the generated code.

Signed-off-by: Taylor Hutt <thutt at chromium.org>
Signed-off-by: Simon Glass <sjg at chromium.org>
---
Changes in v2: None

 common/cmd_mmc.c |    9 ++++-----
 1 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/common/cmd_mmc.c b/common/cmd_mmc.c
index 4c19df7..7dacd51 100644
--- a/common/cmd_mmc.c
+++ b/common/cmd_mmc.c
@@ -250,14 +250,13 @@ static int do_mmcops(cmd_tbl_t *cmdtp, int flag, int argc, char * const argv[])
 		return 0;
 	}
 
-	if (strcmp(argv[1], "read") == 0)
+	state = MMC_INVALID;
+	if (argc == 5 && strcmp(argv[1], "read") == 0)
 		state = MMC_READ;
-	else if (strcmp(argv[1], "write") == 0)
+	else if (argc == 5 && strcmp(argv[1], "write") == 0)
 		state = MMC_WRITE;
-	else if (strcmp(argv[1], "erase") == 0)
+	else if (argc == 4 && strcmp(argv[1], "erase") == 0)
 		state = MMC_ERASE;
-	else
-		state = MMC_INVALID;
 
 	if (state != MMC_INVALID) {
 		struct mmc *mmc = find_mmc_device(curr_device);
-- 
1.7.7.3