mei: bus: fix received data size check in NFC fixup

commit 582ab27a063a506ccb55fc48afcc325342a2deba upstream.

NFC version reply size checked against only header size, not against
full message size. That may lead potentially to uninitialized memory access
in version data.

That leads to warnings when version data is accessed:
drivers/misc/mei/bus-fixup.c: warning: '*((void *)&ver+11)' may be used uninitialized in this function [-Wuninitialized]:  => 212:2

Reported in
Build regressions/improvements in v4.9-rc3
https://lkml.org/lkml/2016/10/30/57

[js] the check is in 3.12 only once

Fixes: 59fcd7c63abf (mei: nfc: Initial nfc implementation)
Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Willy Tarreau <w@1wt.eu>

diff --git a/drivers/misc/mei/nfc.c b/drivers/misc/mei/nfc.c
index 4b7ea3fb143c650aa3030ad697ea69ba1e5b8b98..1f8f856946cd7bd24f70291b7a8a339c3871ab94 100644 (file)
--- a/drivers/misc/mei/nfc.c
+++ b/drivers/misc/mei/nfc.c
@@ -292,7 +292,7 @@ static int mei_nfc_if_version(struct mei_nfc_dev *ndev)
                return -ENOMEM;
 
        bytes_recv = __mei_cl_recv(cl, (u8 *)reply, if_version_length);
-       if (bytes_recv < 0 || bytes_recv < sizeof(struct mei_nfc_reply)) {
+       if (bytes_recv < if_version_length) {
                dev_err(&dev->pdev->dev, "Could not read IF version\n");
                ret = -EIO;
                goto err;