Re: [bug report] HID: ft260: add usb hid to i2c host bridge driver

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Fri, Apr 09, 2021 at 03:32:06PM +0300, Dan Carpenter wrote:
> Hello Michael Zaidman,
> 
> The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge
> driver" from Feb 19, 2021, leads to the following static checker
> warning:
> 
> 	drivers/hid/hid-ft260.c:441 ft260_smbus_write()
> 	error: '__memcpy()' '&rep->data[1]' too small (59 vs 255)
> 
> drivers/hid/hid-ft260.c
>    423  static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd,
>    424                               u8 *data, u8 data_len, u8 flag)
>    425  {
>    426          int ret = 0;
>    427          int len = 4;
>    428  
>    429          struct ft260_i2c_write_request_report *rep =
>    430                  (struct ft260_i2c_write_request_report *)dev->write_buf;
>    431  
>    432          rep->address = addr;
>    433          rep->data[0] = cmd;
>    434          rep->length = data_len + 1;
>    435          rep->flag = flag;
>    436          len += rep->length;
>    437  
>    438          rep->report = FT260_I2C_DATA_REPORT_ID(len);
>    439  
>    440          if (data_len > 0)
>    441                  memcpy(&rep->data[1], data, data_len);
>                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Smatch says that this can be called from the i2cdev_ioctl_smbus()
> function.

Hi Dan,

This is an example of a false-positive static checker warning.

The maximum data size that the i2cdev_ioctl_smbus() can pass to the
i2c_smbus_xfer() is sizeof(data->block) which is (I2C_SMBUS_BLOCK_MAX + 2)
or 34 bytes. Thus, no need to check the data_len against 59 here.

Regrads,
Michael

> 
> i2cdev_ioctl_smbus()
>   --> i2c_smbus_xfer
>       --> __i2c_smbus_xfer
>           --> ft260_smbus_xfer
>               --> ft260_smbus_write
> 
>    442  
>    443          ft260_dbg("rep %#02x addr %#02x cmd %#02x datlen %d replen %d\n",
>    444                    rep->report, addr, cmd, rep->length, len);
>    445  
>    446          ret = ft260_hid_output_report_check_status(dev, (u8 *)rep, len);
>    447  
>    448          return ret;
>    449  }
> 
> regards,
> dan carpenter
[Index of Archives]     [Linux GPIO]     [Linux SPI]     [Linux Hardward Monitoring]     [LM Sensors]     [Linux USB Devel]     [Linux Media]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux