[bug report] HID: ft260: add usb hid to i2c host bridge driver

From: Dan Carpenter <hidden>
Date: 2021-04-09 12:32:24
Also in: linux-i2c

Hello Michael Zaidman,

The patch 6a82582d9fa4: "HID: ft260: add usb hid to i2c host bridge
driver" from Feb 19, 2021, leads to the following static checker
warning:

	drivers/hid/hid-ft260.c:441 ft260_smbus_write()
	error: '__memcpy()' '&rep->data[1]' too small (59 vs 255)

drivers/hid/hid-ft260.c
   423  static int ft260_smbus_write(struct ft260_device *dev, u8 addr, u8 cmd,
   424                               u8 *data, u8 data_len, u8 flag)
   425  {
   426          int ret = 0;
   427          int len = 4;
   428  
   429          struct ft260_i2c_write_request_report *rep =
   430                  (struct ft260_i2c_write_request_report *)dev->write_buf;
   431  
   432          rep->address = addr;
   433          rep->data[0] = cmd;
   434          rep->length = data_len + 1;
   435          rep->flag = flag;
   436          len += rep->length;
   437  
   438          rep->report = FT260_I2C_DATA_REPORT_ID(len);
   439  
   440          if (data_len > 0)
   441                  memcpy(&rep->data[1], data, data_len);
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Smatch says that this can be called from the i2cdev_ioctl_smbus()
function.

i2cdev_ioctl_smbus()
  --> i2c_smbus_xfer
      --> __i2c_smbus_xfer
          --> ft260_smbus_xfer
              --> ft260_smbus_write

   442  
   443          ft260_dbg("rep %#02x addr %#02x cmd %#02x datlen %d replen %d\n",
   444                    rep->report, addr, cmd, rep->length, len);
   445  
   446          ret = ft260_hid_output_report_check_status(dev, (u8 *)rep, len);
   447  
   448          return ret;
   449  }

regards,
dan carpenter

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help