tfm_interface_recv function can return a negative value if function
fails and its return value is stored an signed integer variabel named n.
So 'n' should be checked if it is negative or not, but it is compared
with unsinged 64-bit integer variable named packet_size like below:
n < packet_size
If 'n' is negative, then this expression is evaluated as false because n
is casted into unsigned 64-bit integer implicitly before it is compared.
As a result, even tfm_interface_recv failed, error is not handled.
To solve this bug, an expression(n < 0) is added like below:
n < 0 || n < packet_size
There are similar bugs with function calls of tfm_interface_recv and
tfm_interface_send , they are fixed likewise.
This solves a bug reported by COVERITY with CID=
1758276.
Change-Id: I0f395c3411d9af258cc7e7f064b1df27ce4b096d
Signed-off-by: SangYoun Kwak <sy.kwak@samsung.com>
ssize_t n;
n = tfm_interface_send(intf, (void *)rsp, RES_PKT_SIZE);
- if (n < sizeof(*rsp))
+ if (n < 0 || n < sizeof(*rsp))
return -EIO;
return 0;
while (total - recv >= packet_size) {
n = tfm_interface_recv(intf, curr, packet_size);
- if (n < packet_size) {
+ if (n < 0 || n < packet_size) {
ret = -EIO;
goto err;
}
if ((total - recv) > 0) {
n = tfm_interface_recv(intf, curr, packet_size);
- if (n < packet_size) {
+ if (n < 0 || n < packet_size) {
ret = -EIO;
goto err;
}
for (;;) {
n = tfm_interface_recv(intf, &rqt, RQT_PKT_SIZE);
- if (n < sizeof(rqt)) {
+ if (n < 0 || n < sizeof(rqt)) {
fprintf(stderr,
"Failed to receive data from host(%zd:%zu)\n",
n, RQT_PKT_SIZE);
projects / platform / core / system / initrd-flash.git / commitdiff