Re: [PATCH] iio: ssp_sensors: add more range checking in ssp_parse_dataframe()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Sep 11, 2021 at 04:42:53PM +0100, Jonathan Cameron wrote:
> On Thu, 9 Sep 2021 12:13:36 +0300
> Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote:
> 
> > The "idx" is validated at the start of the loop but it gets incremented
> > during the iteration so it needs to be checked again.
> > 
> > Fixes: 50dd64d57eee ("iio: common: ssp_sensors: Add sensorhub driver")
> > Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> 
> This is only a fix if we assume that the len value check is there
> as a protection against buffer overrun rather than as a termination condition
> that occurs when parsing a valid record.
> 
> There is more paranoid checking in ssp_print_mc_debug() so it seems we aren't assuming
> valid data in there at least.
> 
> Still is this perhaps a case of hardening rather than a fix or am I missing something?
> 

Yeah.  This is from static analysis.  It's not a bug that probably
affects real life.

I guess it's debatable if it should get a Fixes tag, but I feel like
everything should be written in a hardened way.  Plus with the Fixes tag
it will get backported.

> As an aside, if that ssp_print_mcu_debug() reads a negative char it is then
> returned directly so we get a random small negative number as the error code which
> isn't going to be very useful.

That's true.  I will send that as a separate fix though.  Definitely
with a Fixes tag on that.  ;)

regards,
dan carpenter




[Index of Archives]     [Kernel Development]     [Kernel Announce]     [Kernel Newbies]     [Linux Networking Development]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Device Mapper]

  Powered by Linux