On Fri, Aug 19, 2022 at 8:25 AM Dan Carpenter <dan.carpenter@xxxxxxxxxx> wrote: > > It looks like there are a potential out of bounds accesses in the > read/write() functions. Also can "len" be negative? Let's check for > that too. ... > + if (bank_idx >= ARRAY_SIZE(info->i2c)) Okay, the index of the bank comes from arbitrary data and here you want to prevent it from overflowing. > + return -EINVAL; ... > + if (len < 0 || bank_idx >= ARRAY_SIZE(info->i2c)) > + return -EINVAL; Ditto here. But what I would do differently is a check for len. Instead split the assignment and do a check beforehand. unsigned int len; if (count < MT6370_MAX_ADDRLEN) return -EINVAL; len = count - MT6370_MAX_ADDRLEN; -- With Best Regards, Andy Shevchenko
