nOn Wed, Jun 20, 2018 at 01:41:51PM +0300, Dan Carpenter wrote:
> resp->num is the number of tokens in resp->tok[]. It gets set in
> response_parse(). So if n == resp->num then we're reading beyond the
> end of the data.
>
> Fixes: 455a7b238cd6 ("block: Add Sed-opal library")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
Reviewed-by: Scott Bauer <scott.bauer@xxxxxxxxx>
Tested-by: Scott Bauer <scott.bauer@xxxxxxxxx>
> Static analysis. Not tested. This matches the checking in
> response_get_token().
>
> My other concern is that there isn't checking in response_parse() to
> ensure that we don't go over MAX_TOKS (64) entries. If the firmware
> is buggy we're probably very screwed already, so it doesn't necessarily
> make a lot of difference at runtime but it might make static analysis
> easier if we knew the value of resp->num was in the 1-64 range.
Do you want to send this patch or do you want me todo it? Im all for never
trusting firmware... I've seen it.
