mei: fix potential read outside of array bounds
authorAlexander Usyskin <alexander.usyskin@intel.com>
Mon, 17 Feb 2014 13:13:22 +0000 (15:13 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 18 Feb 2014 18:05:07 +0000 (10:05 -0800)
Drop not-very-useful check and with this
fix read on index that can be after array end.
Cleanup search function as byproduct.

Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com>
Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/misc/mei/client.c

index 8afba05347790d972a1079abc4cc1c6c330e464b..539e861abc1e7a38d8ae5926a98daca5736e5ed0 100644 (file)
  * mei_me_cl_by_uuid - locate index of me client
  *
  * @dev: mei device
+ *
+ * Locking: called under "dev->device_lock" lock
+ *
  * returns me client index or -ENOENT if not found
  */
 int mei_me_cl_by_uuid(const struct mei_device *dev, const uuid_le *uuid)
 {
-       int i, res = -ENOENT;
+       int i;
 
        for (i = 0; i < dev->me_clients_num; ++i)
                if (uuid_le_cmp(*uuid,
-                               dev->me_clients[i].props.protocol_name) == 0) {
-                       res = i;
-                       break;
-               }
+                               dev->me_clients[i].props.protocol_name) == 0)
+                       return i;
 
-       return res;
+       return -ENOENT;
 }
 
 
@@ -60,16 +61,12 @@ int mei_me_cl_by_uuid(const struct mei_device *dev, const uuid_le *uuid)
 int mei_me_cl_by_id(struct mei_device *dev, u8 client_id)
 {
        int i;
+
        for (i = 0; i < dev->me_clients_num; i++)
                if (dev->me_clients[i].client_id == client_id)
-                       break;
-       if (WARN_ON(dev->me_clients[i].client_id != client_id))
-               return -ENOENT;
+                       return i;
 
-       if (i == dev->me_clients_num)
-               return -ENOENT;
-
-       return i;
+       return -ENOENT;
 }