make KCFLAGS='-fanalyzer' sound/soc/sof/ reports an issue with memcpy:
sound/soc/sof/ipc3.c: In function ‘ipc3_wait_tx_done’:
sound/soc/sof/ipc3.c:309:33: error: use of NULL ‘reply_data’ where
non-null expected [CWE-476] [-Werror=analyzer-null-argument]
309 | memcpy(reply_data, msg->reply_data,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
310 | msg->reply_size);
The finding is legit with this call:
return sof_ipc3_tx_msg(sdev, &pm_ctx, sizeof(pm_ctx), NULL, 0, false);
Static analysis has no way of knowing that the reply will be zero-sized.
Add a check to only do the memcpy if the reply size is not zero and
the destination pointer is not NULL.
Signed-off-by: Pierre-Louis Bossart <pierre-louis.bossart@xxxxxxxxxxxxxxx>
Reviewed-by: Rander Wang <rander.wang@xxxxxxxxx>
Reviewed-by: Daniel Baluta <daniel.baluta@xxxxxxx>
Reviewed-by: Yaochun Hung <yc.hung@xxxxxxxxxxxx>
---
sound/soc/sof/ipc3.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/sof/ipc3.c b/sound/soc/sof/ipc3.c
index 2c5aac31e8b0..09834205b119 100644
--- a/sound/soc/sof/ipc3.c
+++ b/sound/soc/sof/ipc3.c
@@ -312,7 +312,7 @@ static int ipc3_wait_tx_done(struct snd_sof_ipc *ipc, void *reply_data)
} else {
if (sof_debug_check_flag(SOF_DBG_PRINT_IPC_SUCCESS_LOGS))
ipc3_log_header(sdev->dev, "ipc tx succeeded", hdr->cmd);
- if (msg->reply_size)
+ if (reply_data && msg->reply_size)
/* copy the data returned from DSP */
memcpy(reply_data, msg->reply_data,
msg->reply_size);
--
2.39.2
