2014-11-13 10:35:59

by Dan Carpenter

[permalink] [raw]
Subject: [patch 1/2 -next] mfd: dln2: add a limit check for invalid "echo"

We check the other variables and traditionally we don't trust data from
USB devices so adding a check here is normal. This silences a static
checker warning.

Signed-off-by: Dan Carpenter <[email protected]>
---
I am unsure if this fix is correct and I don't have the hardware.
Please review this one carefully. The "goto out;" seems to use the
invalid data and I don't understand why.

diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c
index 9765a17..3101e5e 100644
--- a/drivers/mfd/dln2.c
+++ b/drivers/mfd/dln2.c
@@ -280,6 +280,11 @@ static void dln2_rx(struct urb *urb)
goto out;
}

+ if (echo >= DLN2_MAX_RX_SLOTS) {
+ dev_warn(dev, "invalid echo %d\n", echo);
+ goto out;
+ }
+
data = urb->transfer_buffer + sizeof(struct dln2_header);
len = urb->actual_length - sizeof(struct dln2_header);


2014-11-13 11:01:31

by Octavian Purdila

[permalink] [raw]
Subject: Re: [patch 1/2 -next] mfd: dln2: add a limit check for invalid "echo"

On Thu, Nov 13, 2014 at 12:35 PM, Dan Carpenter
<[email protected]> wrote:
> We check the other variables and traditionally we don't trust data from
> USB devices so adding a check here is normal. This silences a static
> checker warning.
>
> Signed-off-by: Dan Carpenter <[email protected]>
> ---
> I am unsure if this fix is correct and I don't have the hardware.
> Please review this one carefully. The "goto out;" seems to use the
> invalid data and I don't understand why.
>
> diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c
> index 9765a17..3101e5e 100644
> --- a/drivers/mfd/dln2.c
> +++ b/drivers/mfd/dln2.c
> @@ -280,6 +280,11 @@ static void dln2_rx(struct urb *urb)
> goto out;
> }
>
> + if (echo >= DLN2_MAX_RX_SLOTS) {
> + dev_warn(dev, "invalid echo %d\n", echo);
> + goto out;
> + }
> +
> data = urb->transfer_buffer + sizeof(struct dln2_header);
> len = urb->actual_length - sizeof(struct dln2_header);
>

Hi Dan,

Thanks for the patch. You are right that we need to check echo, but
only in the case that it is not an event. In that case the echo
counter increments for every event and can easily be greater the
DLN2_MAX_RX_SLOTS. So the correct patch is to check in
dln2_transfer_complete() that rx_slot is valid. I will follow-up with
a patch for that shortly.