On Sat, Sep 11, 2021 at 04:42:53PM +0100, Jonathan Cameron wrote: > On Thu, 9 Sep 2021 12:13:36 +0300 > Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > > > The "idx" is validated at the start of the loop but it gets incremented > > during the iteration so it needs to be checked again. > > > > Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver") > > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > > This is only a fix if we assume that the len value check is there > as a protection against buffer overrun rather than as a termination condition > that occurs when parsing a valid record. > > There is more paranoid checking in ssp_print_mc_debug() so it seems we aren't assuming > valid data in there at least. > > Still is this perhaps a case of hardening rather than a fix or am I missing something? > Yeah. This is from static analysis. It's not a bug that probably affects real life. I guess it's debatable if it should get a Fixes tag, but I feel like everything should be written in a hardened way. Plus with the Fixes tag it will get backported. > As an aside, if that ssp_print_mcu_debug() reads a negative char it is then > returned directly so we get a random small negative number as the error code which > isn't going to be very useful. That's true. I will send that as a separate fix though. Definitely with a Fixes tag on that. ;) regards, dan carpenter