Re: [PATCH v2 2/2] software node: Fix software_node_get_reference_args() with index -1
From: Andy Shevchenko
Date: Mon Jun 29 2026 - 03:38:52 EST
On Sat, Jun 27, 2026 at 07:50:12AM +0800, Zijun Hu wrote:
> On 6/18/2026 11:20 PM, Alban Bedel wrote:
> > The bounds check for the index passed to
> > software_node_get_reference_args() was failing when passed UINT_MAX,
> > this in turn would lead to an out of bound access in the property
> > array. Fix the bound check to also cover the UINT_MAX case.
> >
> > Fixes: 31e4e12e0e960 ("software node: Correct a OOB check in software_node_get_reference_args()")
>
> i think the fix tag may not be right.
>
> for original express before the fix tag: if (index * sizeof(*ref) > prop->length)
>
> for UINT_MAX, multiplication overflow?
I agree that Fixes tag may be not the best chosen.
...
> > software_node_get_reference_args(const struct fwnode_handle *fwnode,
> > if (prop->is_inline)
> > return -EINVAL;
> >
> > - if ((index + 1) * sizeof(*ref) > prop->length)
> > + if (index >= prop->length / sizeof(*ref))
> > return -ENOENT;
> >
>
> who will use UINT_MAX ?
>
> This function is a interface function. the best fix should check
> input parameter @index and return -EINVAL if it is not expected?
And how do you know which index is allowed without doing that division?
Basically this patch does what you asked for: check input parameter for
the allowed range (which is dynamic, depending on the property length and
size of the reference structure.
--
With Best Regards,
Andy Shevchenko