From 2d50ef2cf3860caea1fc70e41986c58a8a9b0a50 Mon Sep 17 00:00:00 2001 From: Jack Pham Date: Tue, 13 Sep 2016 10:17:25 -0700 Subject: [PATCH] usb: pd: Avoid potential NULL ptr dereferences Check that a valid pointer was passed in addition to non-zero length to avoid dereferencing NULL pointers in functions where data is copied from policy engine to the PD PHY. Issues were identified with static analysis tool. Change-Id: Ib42aad9e0d838eda4653e0bab9f074b3031983dd Signed-off-by: Jack Pham --- drivers/usb/pd/policy_engine.c | 3 ++- drivers/usb/pd/qpnp-pdphy.c | 8 +++++--- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/drivers/usb/pd/policy_engine.c b/drivers/usb/pd/policy_engine.c index b011efe189e7..845c5e384964 100644 --- a/drivers/usb/pd/policy_engine.c +++ b/drivers/usb/pd/policy_engine.c @@ -925,7 +925,8 @@ int usbpd_send_vdm(struct usbpd *pd, u32 vdm_hdr, const u32 *vdos, int num_vdos) return -ENOMEM; vdm_tx->data[0] = vdm_hdr; - memcpy(&vdm_tx->data[1], vdos, num_vdos * sizeof(u32)); + if (vdos && num_vdos) + memcpy(&vdm_tx->data[1], vdos, num_vdos * sizeof(u32)); vdm_tx->size = num_vdos + 1; /* include the header */ /* VDM will get sent in PE_SRC/SNK_READY state handling */ diff --git a/drivers/usb/pd/qpnp-pdphy.c b/drivers/usb/pd/qpnp-pdphy.c index 8cf294306efd..5b5e6210a1bb 100644 --- a/drivers/usb/pd/qpnp-pdphy.c +++ b/drivers/usb/pd/qpnp-pdphy.c @@ -445,8 +445,10 @@ int pd_phy_write(u16 hdr, const u8 *data, size_t data_len, dev_dbg(pdphy->dev, "%s: hdr %x frame type %d timeout %u\n", __func__, hdr, type, timeout_ms); - print_hex_dump_debug("tx data obj:", DUMP_PREFIX_NONE, 32, 4, - data, data_len, false); + + if (data && data_len) + print_hex_dump_debug("tx data obj:", DUMP_PREFIX_NONE, 32, 4, + data, data_len, false); if (!pdphy) { pr_err("%s: pdphy not found\n", __func__); @@ -472,7 +474,7 @@ int pd_phy_write(u16 hdr, const u8 *data, size_t data_len, if (ret) return ret; - if (data_len) { + if (data && data_len) { /* write data objects of SOP message */ ret = pdphy_bulk_reg_write(pdphy, USB_PDPHY_TX_BUFFER_DATA, data, data_len);