On 9/18/2025 7:50 PM, Dan Carpenter wrote:
> Re-order these checks to check if "i" is a valid array index before using
> it. This prevents a potential off by one read access.
>
> Fixes: d6e290837e50 ("tee: add Qualcomm TEE driver")
> Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
> ---
> drivers/tee/qcomtee/call.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/tee/qcomtee/call.c b/drivers/tee/qcomtee/call.c
> index cc17a48d0ab7..ac134452cc9c 100644
> --- a/drivers/tee/qcomtee/call.c
> +++ b/drivers/tee/qcomtee/call.c
> @@ -308,7 +308,7 @@ static int qcomtee_params_from_args(struct tee_param *params,
> }
>
> /* Release any IO and OO objects not processed. */
> - for (; u[i].type && i < num_params; i++) {
> + for (; i < num_params && u[i].type; i++) {
> if (u[i].type == QCOMTEE_ARG_TYPE_OO ||
> u[i].type == QCOMTEE_ARG_TYPE_IO)
> qcomtee_object_put(u[i].o);
This is not required, considering the sequence of clean up, this
would never happen. `i` at least have been accessed once in the
switch above.
Regards,
Amir
