[bug report] HID: ishtp-hid-client: replace fake-flex arrays with flex-array members

[Dan Carpenter <dan.carpenter@xxxxxxxxxx>]

Hello Erick Archer,

Commit 63cafaf47a83 ("HID: ishtp-hid-client: replace fake-flex arrays
with flex-array members") from Sep 22, 2024 (linux-next), leads to
the following Smatch static checker warning:

	drivers/hid/intel-ish-hid/ishtp-hid-client.c:306 process_recv()
	warn: potential pointer math issue ('report' is a 64 bit pointer)

drivers/hid/intel-ish-hid/ishtp-hid-client.c
    66 static void process_recv(struct ishtp_cl *hid_ishtp_cl, void *recv_buf,
    67                          size_t data_len)
    68 {
    69         struct hostif_msg *recv_msg;
    70         unsigned char *payload;
    71         struct device_info *dev_info;
    72         int i, j;
    73         size_t        payload_len, total_len, cur_pos, raw_len, msg_len;
    74         int report_type;
    75         struct report_list *reports_list;
    76         struct report *report;
                              ^^^^^^

    77         size_t report_len;
    78         struct ishtp_cl_data *client_data = ishtp_get_client_data(hid_ishtp_cl);
    79         int curr_hid_dev = client_data->cur_hid_dev;
    80         struct ishtp_hid_data *hid_data = NULL;
    81         struct hid_device *hid = NULL;
    82 

[ snip ]

    279 
    280                 case HOSTIF_PUBLISH_INPUT_REPORT_LIST:
    281                         report_type = HID_INPUT_REPORT;
    282                         reports_list = (struct report_list *)payload;
    283                         report = reports_list->reports;
    284 
    285                         for (j = 0; j < reports_list->num_of_reports; j++) {
    286                                 recv_msg = container_of(&report->msg,
    287                                                         struct hostif_msg, hdr);
    288                                 report_len = report->size;
    289                                 payload = recv_msg->payload;
    290                                 payload_len = report_len -
    291                                         sizeof(struct hostif_msg_hdr);
    292 
    293                                 for (i = 0; i < client_data->num_hid_devices;
    294                                      ++i)
    295                                         if (recv_msg->hdr.device_id ==
    296                                         client_data->hid_devices[i].dev_id &&
    297                                         client_data->hid_sensor_hubs[i]) {
    298                                                 hid_input_report(
    299                                                 client_data->hid_sensor_hubs[
    300                                                                         i],
    301                                                 report_type,
    302                                                 payload, payload_len,
    303                                                 0);
    304                                         }
    305 
--> 306                                 report += sizeof(*report) + payload_len;

The pointer math doesn't work here.  This will read way beyond the end of the
buffer.  It needs to be something like:

		report = (void *)report + sizeof(*report) + payload_len;

regards,
dan carpenter

    307                         }
    308                         break;
    309                 default:
    310                         ++client_data->bad_recv_cnt;
    311                         report_bad_packet(hid_ishtp_cl, recv_msg, cur_pos,
    312                                           payload_len);
    313                         ish_hw_reset(ishtp_get_ishtp_device(hid_ishtp_cl));
    314                         break;
    315 
    316                 }
    317 
    318                 msg_len = payload_len + sizeof(struct hostif_msg);