Re: [PATCH 2/3] iio: light: veml6075: add bounds check to veml6075_it_ms index

[Javier Carrasco]

On Fri May 15, 2026 at 5:23 AM +13, Greg Kroah-Hartman wrote:
> From: Sam Daly <sam@xxxxxxxxxx>
>
> veml6075_it_ms has 5 elements but VEML6075_CONF_IT can yield
> values 0-7. If it returns a value >= 5, this causes an
> out-of-bounds array access. Add a bounds check and return
> -EINVAL if the index is out of range.
>
> Assisted-by: gkh_clanker_2000
> Cc: stable <stable@xxxxxxxxxx>
> Cc: Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>
> Cc: Jonathan Cameron <jic23@xxxxxxxxxx>
> Cc: David Lechner <dlechner@xxxxxxxxxxxx>
> Cc: "Nuno Sá" <nuno.sa@xxxxxxxxxx>
> Cc: Andy Shevchenko <andy@xxxxxxxxxx>
> Signed-off-by: Sam Daly <sam@xxxxxxxxxx>
> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
> ---
>  drivers/iio/light/veml6075.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/iio/light/veml6075.c b/drivers/iio/light/veml6075.c
> index edbb43407054..f7eb159e5cb4 100644
> --- a/drivers/iio/light/veml6075.c
> +++ b/drivers/iio/light/veml6075.c
> @@ -100,7 +100,7 @@ static const struct iio_chan_spec veml6075_channels[] = {
>
>  static int veml6075_request_measurement(struct veml6075_data *data)
>  {
> -	int ret, conf, int_time;
> +	int ret, conf, int_time, int_index;
>
>  	ret = regmap_read(data->regmap, VEML6075_CMD_CONF, &conf);
>  	if (ret < 0)
> @@ -117,7 +117,11 @@ static int veml6075_request_measurement(struct veml6075_data *data)
>  	 * time for all possible configurations. Using a 1.50 factor simplifies
>  	 * operations and ensures reliability under all circumstances.
>  	 */
> -	int_time = veml6075_it_ms[FIELD_GET(VEML6075_CONF_IT, conf)];
> +	int_index = FIELD_GET(VEML6075_CONF_IT, conf);
> +	if (int_index >= ARRAY_SIZE(veml6075_it_ms))
> +		return -EINVAL;
> +
> +	int_time = veml6075_it_ms[int_index];
>  	msleep(int_time + (int_time / 2));
>
>  	/* shutdown again, data registers are still accessible */

Reviewed-by: Javier Carrasco <javier.carrasco.cruz@xxxxxxxxx>