[char-misc v4.14.y] mei: bus: type promotion bug in mei_nfc_if_version()

23 Sep 2018

From: Dan Carpenter dan.carpenter@oracle.com
commit b40b3e9358fbafff6a4ba0f4b9658f6617146f9c upstream
We accidentally removed the check for negative returns
without considering the issue of type promotion.
The "if_version_length" variable is type size_t so if __mei_cl_recv()
returns a negative then "bytes_recv" is type promoted
to a high positive value and treated as success.
Cc: stable@vger.kernel.org # 4.14
Fixes: 582ab27a063a ("mei: bus: fix received data size check in NFC fixup")
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
Signed-off-by: Tomas Winkler tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 drivers/misc/mei/bus-fixup.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/misc/mei/bus-fixup.c b/drivers/misc/mei/bus-fixup.c
index 0208c4b027c5..fa0236a5e59a 100644
--- a/drivers/misc/mei/bus-fixup.c
+++ b/drivers/misc/mei/bus-fixup.c
@@ -267,7 +267,7 @@ static int mei_nfc_if_version(struct mei_cl *cl,
ret = 0;
    bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length, 0);
-	if (bytes_recv < if_version_length) {
+	if (bytes_recv < 0 || bytes_recv < if_version_length) {
    	dev_err(bus->dev, "Could not read IF version\n");
    	ret = -EIO;
    	goto err;
-- 
2.14.4


    

2024

2023

2022

2021

2020

2019

2018

2017

[char-misc v4.14.y] mei: bus: type promotion bug in mei_nfc_if_version()