In tpm2_map_to_phandle(), avoid the case where i equals
ARRAY_SIZE(space->context_tbl) and we then access space->context_tbl[i].
This fixes the following smatch error:
drivers/char/tpm/tpm2-space.c:232 tpm2_map_to_phandle() error: buffer
overflow 'space->context_tbl' 3 <= 3
Fixes: 5f6b4fbc12c8fc97 ("tpm: infrastructure for TPM spaces")
Signed-off-by: Vincent Stehlé <vincent.ste...@laposte.net>
Cc: Jarkko Sakkinen <jarkko.sakki...@linux.intel.com>
Cc: James Bottomley <james.bottom...@hansenpartnership.com>
---
Hi,
I saw that in Linux next-20170323.
Best regards,
Vincent.
drivers/char/tpm/tpm2-space.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/char/tpm/tpm2-space.c b/drivers/char/tpm/tpm2-space.c
index d36d81e07076..009934269514 100644
--- a/drivers/char/tpm/tpm2-space.c
+++ b/drivers/char/tpm/tpm2-space.c
@@ -229,7 +229,7 @@ static bool tpm2_map_to_phandle(struct tpm_space *space,
void *handle)
int i;
i = 0xFFFFFF - (vhandle & 0xFFFFFF);
- if (i > ARRAY_SIZE(space->context_tbl) || !space->context_tbl[i])
+ if (i >= ARRAY_SIZE(space->context_tbl) || !space->context_tbl[i])
return false;
phandle = space->context_tbl[i];
--
2.11.0
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
tpmdd-devel mailing list
tpmdd-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/tpmdd-devel
