* [patch 1/2 -next] mfd: dln2: add a limit check for invalid "echo"
@ 2014-11-13 10:35 Dan Carpenter
2014-11-13 11:01 ` Octavian Purdila
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2014-11-13 10:35 UTC (permalink / raw)
To: Samuel Ortiz, Octavian Purdila; +Cc: Lee Jones, linux-kernel, kernel-janitors
We check the other variables and traditionally we don't trust data from
USB devices so adding a check here is normal. This silences a static
checker warning.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
I am unsure if this fix is correct and I don't have the hardware.
Please review this one carefully. The "goto out;" seems to use the
invalid data and I don't understand why.
diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c
index 9765a17..3101e5e 100644
--- a/drivers/mfd/dln2.c
+++ b/drivers/mfd/dln2.c
@@ -280,6 +280,11 @@ static void dln2_rx(struct urb *urb)
goto out;
}
+ if (echo >= DLN2_MAX_RX_SLOTS) {
+ dev_warn(dev, "invalid echo %d\n", echo);
+ goto out;
+ }
+
data = urb->transfer_buffer + sizeof(struct dln2_header);
len = urb->actual_length - sizeof(struct dln2_header);
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [patch 1/2 -next] mfd: dln2: add a limit check for invalid "echo"
2014-11-13 10:35 [patch 1/2 -next] mfd: dln2: add a limit check for invalid "echo" Dan Carpenter
@ 2014-11-13 11:01 ` Octavian Purdila
0 siblings, 0 replies; 2+ messages in thread
From: Octavian Purdila @ 2014-11-13 11:01 UTC (permalink / raw)
To: Dan Carpenter; +Cc: Samuel Ortiz, Lee Jones, lkml, kernel-janitors
On Thu, Nov 13, 2014 at 12:35 PM, Dan Carpenter
<dan.carpenter@oracle.com> wrote:
> We check the other variables and traditionally we don't trust data from
> USB devices so adding a check here is normal. This silences a static
> checker warning.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
> ---
> I am unsure if this fix is correct and I don't have the hardware.
> Please review this one carefully. The "goto out;" seems to use the
> invalid data and I don't understand why.
>
> diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c
> index 9765a17..3101e5e 100644
> --- a/drivers/mfd/dln2.c
> +++ b/drivers/mfd/dln2.c
> @@ -280,6 +280,11 @@ static void dln2_rx(struct urb *urb)
> goto out;
> }
>
> + if (echo >= DLN2_MAX_RX_SLOTS) {
> + dev_warn(dev, "invalid echo %d\n", echo);
> + goto out;
> + }
> +
> data = urb->transfer_buffer + sizeof(struct dln2_header);
> len = urb->actual_length - sizeof(struct dln2_header);
>
Hi Dan,
Thanks for the patch. You are right that we need to check echo, but
only in the case that it is not an event. In that case the echo
counter increments for every event and can easily be greater the
DLN2_MAX_RX_SLOTS. So the correct patch is to check in
dln2_transfer_complete() that rx_slot is valid. I will follow-up with
a patch for that shortly.
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2014-11-13 11:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-13 10:35 [patch 1/2 -next] mfd: dln2: add a limit check for invalid "echo" Dan Carpenter
2014-11-13 11:01 ` Octavian Purdila
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).