From mboxrd@z Thu Jan  1 00:00:00 1970
From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/dp/mst: fix OOB reads on 2-byte fields in sideband reply parsers
Date: Sun, 12 Apr 2026 10:31:51 +1000
Message-ID: <review-overall-20260410040026.2436280-1-ashutoshdesai993@gmail.com>
In-Reply-To: <20260410040026.2436280-1-ashutoshdesai993@gmail.com>
References: <20260410040026.2436280-1-ashutoshdesai993@gmail.com>
X-Mailer: Claude Code Patch Reviewer
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0

Overall Series Review

Subject: drm/dp/mst: fix OOB reads on 2-byte fields in sideband reply parse=
rs
Author: Ashutosh Desai <ashutoshdesai993@gmail.com>
Patches: 1
Reviewed: 2026-04-12T10:31:51.646390

---

This is a single-patch series that fixes out-of-bounds reads in three DP MS=
T sideband reply parsers. The bug is real: 16-bit field reads access `raw->=
msg[idx]` and `raw->msg[idx+1]` but only validate bounds *after* incrementi=
ng `idx`, meaning the second byte can read past valid message data when `id=
x =3D=3D raw->curlen - 1`, or both bytes when `idx =3D=3D raw->curlen`.

The fix is **correct in approach** =E2=80=94 it moves bounds checks before =
the 2-byte reads using `idx + 2 > raw->curlen`, which is the right pattern.=
 However, there are several issues worth addressing before the patch is mer=
ged: missing `Fixes:` and `Cc: stable` tags, some redundant checks introduc=
ed by the patch, and a slightly misleading commit message.

---
Generated by Claude Code Patch Reviewer