From: Stepan Ionichev <sozdayvek@gmail.com>
To: tomasz.duszynski@octakon.com
Cc: jic23@kernel.org, dlechner@baylibre.com, nuno.sa@analog.com,
andy@kernel.org, linux-iio@vger.kernel.org,
linux-kernel@vger.kernel.org,
Stepan Ionichev <sozdayvek@gmail.com>
Subject: [PATCH] iio: chemical: scd30: avoid potential NULL deref in scd30_i2c_command()
Date: Wed, 6 May 2026 23:15:33 +0500 [thread overview]
Message-ID: <20260506181533.409-1-sozdayvek@gmail.com> (raw)
scd30_i2c_command() takes an opaque "response" buffer plus its size.
At the start of the function the code already checks if response is
NULL (via the rsp local), but the response-decoding loop after the
i2c transfer always dereferences rsp without re-checking.
With the current callers in scd30_core.c this is harmless, since
write commands pass response=NULL together with size=0 (so the loop
body is never entered). However, the inconsistency is an accident
waiting to happen if a future caller passes response=NULL together
with size > 0 -- the loop would then write through a NULL pointer.
smatch flags this:
drivers/iio/chemical/scd30_i2c.c:104 scd30_i2c_command() error: we
previously assumed rsp could be null (see line 77)
Bail out early when rsp is NULL so the function is robust regardless
of the (cmd, size) combination chosen by the caller.
No functional change for the existing callers.
Signed-off-by: Stepan Ionichev <sozdayvek@gmail.com>
---
drivers/iio/chemical/scd30_i2c.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/iio/chemical/scd30_i2c.c b/drivers/iio/chemical/scd30_i2c.c
index 436df9c61..fb06bec75 100644
--- a/drivers/iio/chemical/scd30_i2c.c
+++ b/drivers/iio/chemical/scd30_i2c.c
@@ -93,6 +93,9 @@ static int scd30_i2c_command(struct scd30_state *state, enum scd30_cmd cmd, u16
if (ret)
return ret;
+ if (!rsp)
+ return 0;
+
/* validate received data and strip off crc bytes */
for (i = 0; i < size; i += 3) {
crc = crc8(scd30_i2c_crc8_tbl, buf + i, 2, CRC8_INIT_VALUE);
--
2.43.0
next reply other threads:[~2026-05-06 18:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-06 18:15 Stepan Ionichev [this message]
2026-05-07 15:28 ` [PATCH v2] iio: chemical: scd30: reject (response=NULL, size>0) in scd30_i2c_command() Stepan Ionichev
2026-05-08 7:36 ` Andy Shevchenko
2026-05-08 7:29 ` Stepan Ionichev
2026-05-08 16:02 ` Maxwell Doose
2026-05-08 18:16 ` Stepan Ionichev
2026-05-08 19:50 ` Maxwell Doose
2026-05-07 16:18 ` [PATCH] iio: chemical: scd30: avoid potential NULL deref " Jonathan Cameron
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260506181533.409-1-sozdayvek@gmail.com \
--to=sozdayvek@gmail.com \
--cc=andy@kernel.org \
--cc=dlechner@baylibre.com \
--cc=jic23@kernel.org \
--cc=linux-iio@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nuno.sa@analog.com \
--cc=tomasz.duszynski@octakon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox