re: NFC: trf7970a: Handle extra byte in response to Type 5 RMB commands

* re: NFC: trf7970a: Handle extra byte in response to Type 5 RMB commands
@ 2015-06-23 13:07 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2015-06-23 13:07 UTC (permalink / raw)
  To: mgreer; +Cc: linux-wireless

Hello Mark A. Greer,

This is a semi-automatic email about new static checker warnings.

The patch ab714817d7e8: "NFC: trf7970a: Handle extra byte in response 
to Type 5 RMB commands" from Apr 24, 2015, leads to the following 
Smatch complaint:

	drivers/nfc/trf7970a.c:632 trf7970a_send_upstream()
	 error: we previously assumed 'trf->rx_skb' could be null (see line 613)

drivers/nfc/trf7970a.c
   612	
   613		if (trf->rx_skb && !IS_ERR(trf->rx_skb) && !trf->aborting)
                    ^^^^^^^^^^^
Check for NULL.

   614			print_hex_dump_debug("trf7970a rx data: ", DUMP_PREFIX_NONE,
   615					16, 1, trf->rx_skb->data, trf->rx_skb->len,
   616					false);
   617	
   618		trf->state = TRF7970A_ST_IDLE;
   619	
   620		if (trf->aborting) {
   621			dev_dbg(trf->dev, "Abort process complete\n");
   622	
   623			if (!IS_ERR(trf->rx_skb)) {
   624				kfree_skb(trf->rx_skb);
   625				trf->rx_skb = ERR_PTR(-ECANCELED);
   626			}
   627	
   628			trf->aborting = false;
   629		}
   630	
   631		if (trf->adjust_resp_len) {
   632			skb_trim(trf->rx_skb, trf->rx_skb->len - 1);
                                 ^^^^^^^^^^^
Patch introduces unchecked dereference inside skb_trim().

   633			trf->adjust_resp_len = false;
   634		}

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread