On Mon, 13 Sep 2021 10:37:09 +0300
Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> On Sat, Sep 11, 2021 at 04:42:53PM +0100, Jonathan Cameron wrote:
> > On Thu, 9 Sep 2021 12:13:36 +0300
> > Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> >
> > > The "idx" is validated at the start of the loop but it gets incremented
> > > during the iteration so it needs to be checked again.
> > >
> > > Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver")
> > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> >
> > This is only a fix if we assume that the len value check is there
> > as a protection against buffer overrun rather than as a termination condition
> > that occurs when parsing a valid record.
> >
> > There is more paranoid checking in ssp_print_mc_debug() so it seems we aren't assuming
> > valid data in there at least.
> >
> > Still is this perhaps a case of hardening rather than a fix or am I missing something?
> >
>
> Yeah. This is from static analysis. It's not a bug that probably
> affects real life.
>
> I guess it's debatable if it should get a Fixes tag, but I feel like
> everything should be written in a hardened way. Plus with the Fixes tag
> it will get backported.
>
> > As an aside, if that ssp_print_mcu_debug() reads a negative char it is then
> > returned directly so we get a random small negative number as the error code which
> > isn't going to be very useful.
>
> That's true. I will send that as a separate fix though. Definitely
> with a Fixes tag on that. ;)
Ok. Applied to fixes-togreg branch of iio.igt and marked for stable.
Hardening this can't do us any harm as far as I can tell and it is a good thing
to do then it is sensible to backport it.
Thanks,
Jonathan
>
> regards,
> dan carpenter
>
