[PATCH 4.4 67/70] mei: bus: type promotion bug in mei_nfc_if_version()

24 Sep 2018

4.4-stable review patch.  If anyone has any objections, please let me know.
------------------
From: Dan Carpenter dan.carpenter@oracle.com
commit b40b3e9358fbafff6a4ba0f4b9658f6617146f9c upstream.
We accidentally removed the check for negative returns
without considering the issue of type promotion.
The "if_version_length" variable is type size_t so if __mei_cl_recv()
returns a negative then "bytes_recv" is type promoted
to a high positive value and treated as success.
Cc: stable@vger.kernel.org
Fixes: 582ab27a063a ("mei: bus: fix received data size check in NFC fixup")
Signed-off-by: Dan Carpenter dan.carpenter@oracle.com
Signed-off-by: Tomas Winkler tomas.winkler@intel.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
---
 drivers/misc/mei/bus-fixup.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/misc/mei/bus-fixup.c
+++ b/drivers/misc/mei/bus-fixup.c
@@ -151,7 +151,7 @@ static int mei_nfc_if_version(struct mei
ret = 0;
    bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length);
-	if (bytes_recv < if_version_length) {
+	if (bytes_recv < 0 || bytes_recv < if_version_length) {
    	dev_err(bus->dev, "Could not read IF version\n");
    	ret = -EIO;
    	goto err;

    

2024

2023

2022

2021

2020

2019

2018

2017

[PATCH 4.4 67/70] mei: bus: type promotion bug in mei_nfc_if_version()