* [bug report] HID: ishtp-hid-client: replace fake-flex arrays with flex-array members
@ 2024-10-10 10:02 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2024-10-10 10:02 UTC (permalink / raw)
To: Erick Archer; +Cc: linux-input
Hello Erick Archer,
Commit 63cafaf47a83 ("HID: ishtp-hid-client: replace fake-flex arrays
with flex-array members") from Sep 22, 2024 (linux-next), leads to
the following Smatch static checker warning:
drivers/hid/intel-ish-hid/ishtp-hid-client.c:306 process_recv()
warn: potential pointer math issue ('report' is a 64 bit pointer)
drivers/hid/intel-ish-hid/ishtp-hid-client.c
66 static void process_recv(struct ishtp_cl *hid_ishtp_cl, void *recv_buf,
67 size_t data_len)
68 {
69 struct hostif_msg *recv_msg;
70 unsigned char *payload;
71 struct device_info *dev_info;
72 int i, j;
73 size_t payload_len, total_len, cur_pos, raw_len, msg_len;
74 int report_type;
75 struct report_list *reports_list;
76 struct report *report;
^^^^^^
77 size_t report_len;
78 struct ishtp_cl_data *client_data = ishtp_get_client_data(hid_ishtp_cl);
79 int curr_hid_dev = client_data->cur_hid_dev;
80 struct ishtp_hid_data *hid_data = NULL;
81 struct hid_device *hid = NULL;
82
[ snip ]
279
280 case HOSTIF_PUBLISH_INPUT_REPORT_LIST:
281 report_type = HID_INPUT_REPORT;
282 reports_list = (struct report_list *)payload;
283 report = reports_list->reports;
284
285 for (j = 0; j < reports_list->num_of_reports; j++) {
286 recv_msg = container_of(&report->msg,
287 struct hostif_msg, hdr);
288 report_len = report->size;
289 payload = recv_msg->payload;
290 payload_len = report_len -
291 sizeof(struct hostif_msg_hdr);
292
293 for (i = 0; i < client_data->num_hid_devices;
294 ++i)
295 if (recv_msg->hdr.device_id ==
296 client_data->hid_devices[i].dev_id &&
297 client_data->hid_sensor_hubs[i]) {
298 hid_input_report(
299 client_data->hid_sensor_hubs[
300 i],
301 report_type,
302 payload, payload_len,
303 0);
304 }
305
--> 306 report += sizeof(*report) + payload_len;
The pointer math doesn't work here. This will read way beyond the end of the
buffer. It needs to be something like:
report = (void *)report + sizeof(*report) + payload_len;
regards,
dan carpenter
307 }
308 break;
309 default:
310 ++client_data->bad_recv_cnt;
311 report_bad_packet(hid_ishtp_cl, recv_msg, cur_pos,
312 payload_len);
313 ish_hw_reset(ishtp_get_ishtp_device(hid_ishtp_cl));
314 break;
315
316 }
317
318 msg_len = payload_len + sizeof(struct hostif_msg);
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-10-10 10:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-10 10:02 [bug report] HID: ishtp-hid-client: replace fake-flex arrays with flex-array members Dan Carpenter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox