From: Dan Carpenter <dan.carpenter@linaro.org>
To: Erick Archer <erick.archer@outlook.com>
Cc: linux-input@vger.kernel.org
Subject: [bug report] HID: ishtp-hid-client: replace fake-flex arrays with flex-array members
Date: Thu, 10 Oct 2024 13:02:21 +0300 [thread overview]
Message-ID: <623740cd-613e-47f2-b0cd-a472da979b9b@stanley.mountain> (raw)
Hello Erick Archer,
Commit 63cafaf47a83 ("HID: ishtp-hid-client: replace fake-flex arrays
with flex-array members") from Sep 22, 2024 (linux-next), leads to
the following Smatch static checker warning:
drivers/hid/intel-ish-hid/ishtp-hid-client.c:306 process_recv()
warn: potential pointer math issue ('report' is a 64 bit pointer)
drivers/hid/intel-ish-hid/ishtp-hid-client.c
66 static void process_recv(struct ishtp_cl *hid_ishtp_cl, void *recv_buf,
67 size_t data_len)
68 {
69 struct hostif_msg *recv_msg;
70 unsigned char *payload;
71 struct device_info *dev_info;
72 int i, j;
73 size_t payload_len, total_len, cur_pos, raw_len, msg_len;
74 int report_type;
75 struct report_list *reports_list;
76 struct report *report;
^^^^^^
77 size_t report_len;
78 struct ishtp_cl_data *client_data = ishtp_get_client_data(hid_ishtp_cl);
79 int curr_hid_dev = client_data->cur_hid_dev;
80 struct ishtp_hid_data *hid_data = NULL;
81 struct hid_device *hid = NULL;
82
[ snip ]
279
280 case HOSTIF_PUBLISH_INPUT_REPORT_LIST:
281 report_type = HID_INPUT_REPORT;
282 reports_list = (struct report_list *)payload;
283 report = reports_list->reports;
284
285 for (j = 0; j < reports_list->num_of_reports; j++) {
286 recv_msg = container_of(&report->msg,
287 struct hostif_msg, hdr);
288 report_len = report->size;
289 payload = recv_msg->payload;
290 payload_len = report_len -
291 sizeof(struct hostif_msg_hdr);
292
293 for (i = 0; i < client_data->num_hid_devices;
294 ++i)
295 if (recv_msg->hdr.device_id ==
296 client_data->hid_devices[i].dev_id &&
297 client_data->hid_sensor_hubs[i]) {
298 hid_input_report(
299 client_data->hid_sensor_hubs[
300 i],
301 report_type,
302 payload, payload_len,
303 0);
304 }
305
--> 306 report += sizeof(*report) + payload_len;
The pointer math doesn't work here. This will read way beyond the end of the
buffer. It needs to be something like:
report = (void *)report + sizeof(*report) + payload_len;
regards,
dan carpenter
307 }
308 break;
309 default:
310 ++client_data->bad_recv_cnt;
311 report_bad_packet(hid_ishtp_cl, recv_msg, cur_pos,
312 payload_len);
313 ish_hw_reset(ishtp_get_ishtp_device(hid_ishtp_cl));
314 break;
315
316 }
317
318 msg_len = payload_len + sizeof(struct hostif_msg);
reply other threads:[~2024-10-10 10:02 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=623740cd-613e-47f2-b0cd-a472da979b9b@stanley.mountain \
--to=dan.carpenter@linaro.org \
--cc=erick.archer@outlook.com \
--cc=linux-input@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox