Re: [patch 1/2 -next] mfd: dln2: add a limit check for invalid "echo"
From: Octavian Purdila
Date: Thu Nov 13 2014 - 06:01:35 EST
On Thu, Nov 13, 2014 at 12:35 PM, Dan Carpenter
<dan.carpenter@xxxxxxxxxx> wrote:
> We check the other variables and traditionally we don't trust data from
> USB devices so adding a check here is normal. This silences a static
> checker warning.
>
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> I am unsure if this fix is correct and I don't have the hardware.
> Please review this one carefully. The "goto out;" seems to use the
> invalid data and I don't understand why.
>
> diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c
> index 9765a17..3101e5e 100644
> --- a/drivers/mfd/dln2.c
> +++ b/drivers/mfd/dln2.c
> @@ -280,6 +280,11 @@ static void dln2_rx(struct urb *urb)
> goto out;
> }
>
> + if (echo >= DLN2_MAX_RX_SLOTS) {
> + dev_warn(dev, "invalid echo %d\n", echo);
> + goto out;
> + }
> +
> data = urb->transfer_buffer + sizeof(struct dln2_header);
> len = urb->actual_length - sizeof(struct dln2_header);
>
Hi Dan,
Thanks for the patch. You are right that we need to check echo, but
only in the case that it is not an event. In that case the echo
counter increments for every event and can easily be greater the
DLN2_MAX_RX_SLOTS. So the correct patch is to check in
dln2_transfer_complete() that rx_slot is valid. I will follow-up with
a patch for that shortly.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/