[smatch stuff] hid-logitech-dj: off by one range checking

From: Dan Carpenter <hidden>
Date: 2011-09-20 08:06:40 

Hi Nestor,

Smatch complains about an off by one range check here.  It looks like
a bug, but I'm not sure the correct fix.

drivers/hid/hid-logitech-dj.c +278 logi_dj_recv_add_djhid_device(66)
	error: buffer overflow 'djrcv_dev->paired_dj_devices' 6 <= 6

   233          if ((dj_report->device_index < DJ_DEVICE_INDEX_MIN) ||
   234              (dj_report->device_index > DJ_DEVICE_INDEX_MAX)) {
   235                  dev_err(&djrcv_hdev->dev, "%s: invalid device index:%d\n",
   236                          __func__, dj_report->device_index);
   237                  return;
   238          }

DJ_DEVICE_INDEX_MIN is 1
DJ_DEVICE_INDEX_MAX is 6

   278          djrcv_dev->paired_dj_devices[dj_report->device_index] = dj_dev;

->paired_dj_devices[] has 6 elements so if dj_report->device_index is
6 we're one past the end of the array.

regards,
dan carpenter
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help