[char-misc 3.10] mei: fix out of array access to me clients array

From: Tomas Winkler
Date: Tue May 07 2013 - 14:14:28 EST

Next message: Huang, Xiong: "RE: 3.8.4 kernel"
Previous message: Serge E. Hallyn: "Re: [PATCH 2/2] autofs4: translate pids to the right namespace forthe daemon"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The patch 9f81abdac362: "mei: implement mei_cl_connect function"
from Jan 8, 2013, leads to the following static checker warning:
"drivers/misc/mei/main.c:522 mei_ioctl_connect_client()
warn: check 'dev->me_clients[]' for negative offsets (-2)"

Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Cc: kernel-janitors@xxxxxxxxxxxxxxx
Signed-off-by: Tomas Winkler <tomas.winkler@xxxxxxxxx>
---
drivers/misc/mei/main.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/drivers/misc/mei/main.c b/drivers/misc/mei/main.c
index 7c44c8d..053139f 100644
--- a/drivers/misc/mei/main.c
+++ b/drivers/misc/mei/main.c
@@ -489,11 +489,16 @@ static int mei_ioctl_connect_client(struct file *file,

/* find ME client we're trying to connect to */
i = mei_me_cl_by_uuid(dev, &data->in_client_uuid);
- if (i >= 0 && !dev->me_clients[i].props.fixed_address) {
- cl->me_client_id = dev->me_clients[i].client_id;
- cl->state = MEI_FILE_CONNECTING;
+ if (i < 0 || dev->me_clients[i].props.fixed_address) {
+ dev_dbg(&dev->pdev->dev, "Cannot connect to FW Client UUID = %pUl\n",
+ &data->in_client_uuid);
+ rets = -ENODEV;
+ goto end;
}

+ cl->me_client_id = dev->me_clients[i].client_id;
+ cl->state = MEI_FILE_CONNECTING;
+
dev_dbg(&dev->pdev->dev, "Connect to FW Client ID = %d\n",
cl->me_client_id);
dev_dbg(&dev->pdev->dev, "FW Client - Protocol Version = %d\n",
@@ -527,11 +532,6 @@ static int mei_ioctl_connect_client(struct file *file,
goto end;
}

- if (cl->state != MEI_FILE_CONNECTING) {
- rets = -ENODEV;
- goto end;
- }
-

/* prepare the output buffer */
client = &data->out_client_properties;
@@ -543,7 +543,6 @@ static int mei_ioctl_connect_client(struct file *file,
rets = mei_cl_connect(cl, file);

end:
- dev_dbg(&dev->pdev->dev, "free connect cb memory.");
return rets;
}

--
1.8.1.2

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Huang, Xiong: "RE: 3.8.4 kernel"
Previous message: Serge E. Hallyn: "Re: [PATCH 2/2] autofs4: translate pids to the right namespace forthe daemon"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]