From 4808d1633336a98f3c48a94a7e1fcd1e1030a324 Mon Sep 17 00:00:00 2001 From: AKASHI Takahiro Date: Tue, 7 Nov 2023 09:05:47 +0900 Subject: firmware: scmi: correct a validity check against power domain id A power domain id on sandbox should be in the range from zero to ARRAY_SIZE(scmi_pwdom) - 1. Correct the validity check logic. Addresses-Coverity-ID: 467401 ("Out-of-bounds write") Addresses-Coverity-ID: 467405 ("Out-of-bounds read") Signed-off-by: AKASHI Takahiro --- drivers/firmware/scmi/sandbox-scmi_agent.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/drivers/firmware/scmi/sandbox-scmi_agent.c b/drivers/firmware/scmi/sandbox-scmi_agent.c index 9f5f497e0a6..d1318096266 100644 --- a/drivers/firmware/scmi/sandbox-scmi_agent.c +++ b/drivers/firmware/scmi/sandbox-scmi_agent.c @@ -576,7 +576,7 @@ static int sandbox_scmi_pwd_attribs(struct udevice *dev, struct scmi_msg *msg) domain_id = *(u32 *)msg->in_msg; out = (struct scmi_pwd_attrs_out *)msg->out_msg; - if (domain_id > ARRAY_SIZE(scmi_pwdom)) { + if (domain_id >= ARRAY_SIZE(scmi_pwdom)) { out->status = SCMI_NOT_FOUND; return 0; @@ -613,7 +613,7 @@ static int sandbox_scmi_pwd_state_set(struct udevice *dev, struct scmi_msg *msg) in = (struct scmi_pwd_state_set_in *)msg->in_msg; status = (s32 *)msg->out_msg; - if (in->domain_id > ARRAY_SIZE(scmi_pwdom)) { + if (in->domain_id >= ARRAY_SIZE(scmi_pwdom)) { *status = SCMI_NOT_FOUND; return 0; @@ -653,7 +653,7 @@ static int sandbox_scmi_pwd_state_get(struct udevice *dev, struct scmi_msg *msg) domain_id = *(u32 *)msg->in_msg; out = (struct scmi_pwd_state_get_out *)msg->out_msg; - if (domain_id > ARRAY_SIZE(scmi_pwdom)) { + if (domain_id >= ARRAY_SIZE(scmi_pwdom)) { out->status = SCMI_NOT_FOUND; return 0; @@ -686,7 +686,7 @@ static int sandbox_scmi_pwd_name_get(struct udevice *dev, struct scmi_msg *msg) domain_id = *(u32 *)msg->in_msg; out = (struct scmi_pwd_name_get_out *)msg->out_msg; - if (domain_id > ARRAY_SIZE(scmi_pwdom)) { + if (domain_id >= ARRAY_SIZE(scmi_pwdom)) { out->status = SCMI_NOT_FOUND; return 0; -- cgit v1.2.3