nOn Wed, Jun 20, 2018 at 01:41:51PM +0300, Dan Carpenter wrote:

resp->num is the number of tokens in resp->tok[].  It gets set in
response_parse().  So if n == resp->num then we're reading beyond the
end of the data.

Fixes: 455a7b238cd6 ("block: Add Sed-opal library")
Signed-off-by: Dan Carpenter <redacted>
---

Reviewed-by: Scott Bauer <redacted>
Tested-by: Scott Bauer <redacted>

Static analysis.  Not tested.  This matches the checking in
response_get_token().

My other concern is that there isn't checking in response_parse() to
ensure that we don't go over MAX_TOKS (64) entries.  If the firmware
is buggy we're probably very screwed already, so it doesn't necessarily
make a lot of difference at runtime but it might make static analysis
easier if we knew the value of resp->num was in the 1-64 range.

Do you want to send this patch or do you want me todo it? Im all for never
trusting firmware... I've seen it.