Commit 5f841fe6 authored by Jérôme Pouiller's avatar Jérôme Pouiller Committed by Greg Kroah-Hartman

staging: wfx: increase robustness of hif_generic_confirm()

Smatch complains:

    drivers/staging/wfx/hif_rx.c:26 hif_generic_confirm() warn: negative user subtract: 0-u16max - 4
    20  static int hif_generic_confirm(struct wfx_dev *wdev,
    21                                 const struct hif_msg *hif, const void *buf)
    22  {
    23          // All confirm messages start with status
    24          int status = le32_to_cpup((__le32 *)buf);
    25          int cmd = hif->id;
    26          int len = le16_to_cpu(hif->len) - 4; // drop header
                                              ^^^^^
    27
    28          WARN(!mutex_is_locked(&wdev->hif_cmd.lock), "data locking error");

In fact, rx_helper() already make the necessary checks on the value of
hif->len. Never mind, add an explicit check to make Smatch happy.
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarJérôme Pouiller <jerome.pouiller@silabs.com>
Link: https://lore.kernel.org/r/20201009171307.864608-6-Jerome.Pouiller@silabs.comSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent b3c669be
...@@ -40,10 +40,10 @@ static int hif_generic_confirm(struct wfx_dev *wdev, ...@@ -40,10 +40,10 @@ static int hif_generic_confirm(struct wfx_dev *wdev,
} }
if (wdev->hif_cmd.buf_recv) { if (wdev->hif_cmd.buf_recv) {
if (wdev->hif_cmd.len_recv >= len) if (wdev->hif_cmd.len_recv >= len && len > 0)
memcpy(wdev->hif_cmd.buf_recv, buf, len); memcpy(wdev->hif_cmd.buf_recv, buf, len);
else else
status = -ENOMEM; status = -EIO;
} }
wdev->hif_cmd.ret = status; wdev->hif_cmd.ret = status;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment