Commit 10c90120 authored by Shuah Khan's avatar Shuah Khan Committed by Greg Kroah-Hartman

usbip: stub_rx: fix static checker warning on unnecessary checks

Fix the following static checker warnings:

The patch c6688ef9: "usbip: fix stub_rx: harden CMD_SUBMIT path
to handle malicious input" from Dec 7, 2017, leads to the following
static checker warning:

    drivers/usb/usbip/stub_rx.c:346 get_pipe()
    warn: impossible condition
'(pdu->u.cmd_submit.transfer_buffer_length > ((~0 >> 1))) =>
(s32min-s32max > s32max)'
    drivers/usb/usbip/stub_rx.c:486 stub_recv_cmd_submit()
    warn: always true condition
'(pdu->u.cmd_submit.transfer_buffer_length <= ((~0 >> 1))) =>
(s32min-s32max <= s32max)'
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarShuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 90120d15
...@@ -339,14 +339,6 @@ static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu) ...@@ -339,14 +339,6 @@ static int get_pipe(struct stub_device *sdev, struct usbip_header *pdu)
epd = &ep->desc; epd = &ep->desc;
/* validate transfer_buffer_length */
if (pdu->u.cmd_submit.transfer_buffer_length > INT_MAX) {
dev_err(&sdev->udev->dev,
"CMD_SUBMIT: -EMSGSIZE transfer_buffer_length %d\n",
pdu->u.cmd_submit.transfer_buffer_length);
return -1;
}
if (usb_endpoint_xfer_control(epd)) { if (usb_endpoint_xfer_control(epd)) {
if (dir == USBIP_DIR_OUT) if (dir == USBIP_DIR_OUT)
return usb_sndctrlpipe(udev, epnum); return usb_sndctrlpipe(udev, epnum);
...@@ -479,8 +471,7 @@ static void stub_recv_cmd_submit(struct stub_device *sdev, ...@@ -479,8 +471,7 @@ static void stub_recv_cmd_submit(struct stub_device *sdev,
} }
/* allocate urb transfer buffer, if needed */ /* allocate urb transfer buffer, if needed */
if (pdu->u.cmd_submit.transfer_buffer_length > 0 && if (pdu->u.cmd_submit.transfer_buffer_length > 0) {
pdu->u.cmd_submit.transfer_buffer_length <= INT_MAX) {
priv->urb->transfer_buffer = priv->urb->transfer_buffer =
kzalloc(pdu->u.cmd_submit.transfer_buffer_length, kzalloc(pdu->u.cmd_submit.transfer_buffer_length,
GFP_KERNEL); GFP_KERNEL);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment