mei: fix potential read outside of array bounds

Drop not-very-useful check and with this fix read on index that can be after array end. Cleanup search function as byproduct. Signed-off-by: Alexander Usyskin <alexander.usyskin@intel.com> Signed-off-by: Tomas Winkler <tomas.winkler@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-12-14 07:02:23 +00:00 · 2014-02-17 15:13:22 +02:00 · 2014-02-17 15:13:22 +02:00 · a27a76d3c0
commit a27a76d3c0
parent 64092858ac
1 changed files with 10 additions and 13 deletions
--- a/drivers/misc/mei/client.c
+++ b/drivers/misc/mei/client.c
@ -29,20 +29,21 @@
 * mei_me_cl_by_uuid - locate index of me client
 *
 * @dev: mei device
+ *
+ * Locking: called under "dev->device_lock" lock
+ *
 * returns me client index or -ENOENT if not found
 */
 int mei_me_cl_by_uuid(const struct mei_device *dev, const uuid_le *uuid)
 {
-	int i, res = -ENOENT;
+	int i;

 	for (i = 0; i < dev->me_clients_num; ++i)
 		if (uuid_le_cmp(*uuid,
-				dev->me_clients[i].props.protocol_name) == 0) {
-			res = i;
-			break;
-		}
+				dev->me_clients[i].props.protocol_name) == 0)
+			return i;

-	return res;
+	return -ENOENT;
 }


@ -60,16 +61,12 @@ int mei_me_cl_by_uuid(const struct mei_device *dev, const uuid_le *uuid)
 int mei_me_cl_by_id(struct mei_device *dev, u8 client_id)
 {
 	int i;
+
 	for (i = 0; i < dev->me_clients_num; i++)
 		if (dev->me_clients[i].client_id == client_id)
-			break;
-	if (WARN_ON(dev->me_clients[i].client_id != client_id))
-		return -ENOENT;
+			return i;

-	if (i == dev->me_clients_num)
-		return -ENOENT;
-
-	return i;
+	return -ENOENT;
 }