From mboxrd@z Thu Jan 1 00:00:00 1970 From: Claude Code Review Bot To: dri-devel-reviews@example.com Subject: Claude review: drm/dp/mst: fix OOB reads in remote DPCD/I2C sideband reply parsers Date: Sat, 16 May 2026 16:07:31 +1000 Message-ID: In-Reply-To: <20260510201733.2882224-1-ashutoshdesai993@gmail.com> References: <20260510201733.2882224-1-ashutoshdesai993@gmail.com> X-Mailer: Claude Code Patch Reviewer Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Overall Series Review Subject: drm/dp/mst: fix OOB reads in remote DPCD/I2C sideband reply parsers Author: Ashutosh Desai Patches: 1 Reviewed: 2026-05-16T16:07:31.754498 --- This is a single-patch series that fixes two out-of-bounds read vulnerabili= ties in the DP MST sideband reply parsers. The fix is straightforward and c= orrect: it ensures the full range of bytes to be copied (`idx + num_bytes`)= is validated against `curlen` before each `memcpy`, rather than just check= ing the current index position. The patch is well-motivated =E2=80=94 `raw->msg[]` is 256 bytes and `curlen= ` is `u8` (max 255), so a malicious or misbehaving MST hub could craft a re= ply with `num_bytes` set larger than the remaining payload, causing the `me= mcpy` to read past the valid message data. Both destination buffers (`bytes= [255]`) are large enough for the max `u8` value, so no destination overflow= is possible =E2=80=94 the issue is purely about reading past the received = data in `raw->msg[]`. **Verdict: Looks good.** The fix is minimal, correct, and appropriate for s= table backport. --- --- Generated by Claude Code Patch Reviewer