From 5f841fe69832c8440a5d940e4d768cf7b96f3b9f Mon Sep 17 00:00:00 2001 From: =?utf8?q?J=C3=A9r=C3=B4me=20Pouiller?= Date: Fri, 9 Oct 2020 19:13:04 +0200 Subject: [PATCH] staging: wfx: increase robustness of hif_generic_confirm() MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Smatch complains: drivers/staging/wfx/hif_rx.c:26 hif_generic_confirm() warn: negative user subtract: 0-u16max - 4 20 static int hif_generic_confirm(struct wfx_dev *wdev, 21 const struct hif_msg *hif, const void *buf) 22 { 23 // All confirm messages start with status 24 int status = le32_to_cpup((__le32 *)buf); 25 int cmd = hif->id; 26 int len = le16_to_cpu(hif->len) - 4; // drop header ^^^^^ 27 28 WARN(!mutex_is_locked(&wdev->hif_cmd.lock), "data locking error"); In fact, rx_helper() already make the necessary checks on the value of hif->len. Never mind, add an explicit check to make Smatch happy. Reported-by: Dan Carpenter Signed-off-by: Jérôme Pouiller Link: https://lore.kernel.org/r/20201009171307.864608-6-Jerome.Pouiller@silabs.com Signed-off-by: Greg Kroah-Hartman --- drivers/staging/wfx/hif_rx.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/staging/wfx/hif_rx.c b/drivers/staging/wfx/hif_rx.c index ca09467..2d42652 100644 --- a/drivers/staging/wfx/hif_rx.c +++ b/drivers/staging/wfx/hif_rx.c @@ -40,10 +40,10 @@ static int hif_generic_confirm(struct wfx_dev *wdev, } if (wdev->hif_cmd.buf_recv) { - if (wdev->hif_cmd.len_recv >= len) + if (wdev->hif_cmd.len_recv >= len && len > 0) memcpy(wdev->hif_cmd.buf_recv, buf, len); else - status = -ENOMEM; + status = -EIO; } wdev->hif_cmd.ret = status; -- 2.7.4