Coverity reports a possible Out-of-bounds access (ARRAY_VS_SINGLETON) with the 'const u8 *port' parameter passed to ni6501_port_command(). This param is an actual array for the SET_PORT_DIR operation, called by ni6501_dio_insn_config(). But for the WRITE_PORT and READ_PORT operations, called by ni6501_dio_insn_bits(), it is just the address of an u8 local variable. Fix the coverity issue by changing the parameter to an unsigned int and pass the raw values from ni6501_dio_insn_config() and ni6501_dio_insn_bits(). ni6501_port_command() then handles the masking and shifting needed to load the value into the u8 transmit buffer. For consistency, change the access of the 'bitmap' parameter from an array access to a pointer operation. Reported-by: coverity (CID 1248624) Signed-off-by: H Hartley Sweeten <hsweeten@xxxxxxxxxxxxxxxxxxx> Cc: Ian Abbott <abbotti@xxxxxxxxx> Cc: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/staging/comedi/drivers/ni_usb6501.c | 27 +++++++++++---------------- 1 file changed, 11 insertions(+), 16 deletions(-) diff --git a/drivers/staging/comedi/drivers/ni_usb6501.c b/drivers/staging/comedi/drivers/ni_usb6501.c index 5f649f8..88de8da 100644 --- a/drivers/staging/comedi/drivers/ni_usb6501.c +++ b/drivers/staging/comedi/drivers/ni_usb6501.c @@ -172,7 +172,7 @@ struct ni6501_private { }; static int ni6501_port_command(struct comedi_device *dev, int command, - const u8 *port, u8 *bitmap) + unsigned int val, u8 *bitmap) { struct usb_device *usb = comedi_to_usb_dev(dev); struct ni6501_private *devpriv = dev->private; @@ -190,22 +190,22 @@ static int ni6501_port_command(struct comedi_device *dev, int command, request_size = sizeof(READ_PORT_REQUEST); response_size = sizeof(READ_PORT_RESPONSE); memcpy(tx, READ_PORT_REQUEST, request_size); - tx[14] = port[0]; + tx[14] = val & 0xff; break; case WRITE_PORT: request_size = sizeof(WRITE_PORT_REQUEST); response_size = sizeof(GENERIC_RESPONSE); memcpy(tx, WRITE_PORT_REQUEST, request_size); - tx[14] = port[0]; - tx[17] = bitmap[0]; + tx[14] = val & 0xff; + tx[17] = *bitmap; break; case SET_PORT_DIR: request_size = sizeof(SET_PORT_DIR_REQUEST); response_size = sizeof(GENERIC_RESPONSE); memcpy(tx, SET_PORT_DIR_REQUEST, request_size); - tx[14] = port[0]; - tx[15] = port[1]; - tx[16] = port[2]; + tx[14] = val & 0xff; + tx[15] = (val >> 8) & 0xff; + tx[16] = (val >> 16) & 0xff; break; default: ret = -EINVAL; @@ -235,7 +235,7 @@ static int ni6501_port_command(struct comedi_device *dev, int command, /* Check if results are valid */ if (command == READ_PORT) { - bitmap[0] = devpriv->usb_rx_buf[14]; + *bitmap = devpriv->usb_rx_buf[14]; /* mask bitmap for comparing */ devpriv->usb_rx_buf[14] = 0x00; @@ -349,17 +349,12 @@ static int ni6501_dio_insn_config(struct comedi_device *dev, unsigned int *data) { int ret; - u8 port[3]; ret = comedi_dio_insn_config(dev, s, insn, data, 0); if (ret) return ret; - port[0] = (s->io_bits) & 0xff; - port[1] = (s->io_bits >> 8) & 0xff; - port[2] = (s->io_bits >> 16) & 0xff; - - ret = ni6501_port_command(dev, SET_PORT_DIR, port, NULL); + ret = ni6501_port_command(dev, SET_PORT_DIR, s->io_bits, NULL); if (ret) return ret; @@ -382,7 +377,7 @@ static int ni6501_dio_insn_bits(struct comedi_device *dev, if (mask & (0xFF << port * 8)) { bitmap = (s->state >> port * 8) & 0xFF; ret = ni6501_port_command(dev, WRITE_PORT, - &port, &bitmap); + port, &bitmap); if (ret) return ret; } @@ -391,7 +386,7 @@ static int ni6501_dio_insn_bits(struct comedi_device *dev, data[1] = 0; for (port = 0; port < 3; port++) { - ret = ni6501_port_command(dev, READ_PORT, &port, &bitmap); + ret = ni6501_port_command(dev, READ_PORT, port, &bitmap); if (ret) return ret; data[1] |= bitmap << port * 8; -- 2.4.3 _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel