From: Claude Code Review Bot <claude-review@example.com>
To: dri-devel-reviews@example.com
Subject: Claude review: drm/dp/mst: fix OOB reads in remote DPCD/I2C sideband reply parsers
Date: Sat, 16 May 2026 16:07:32 +1000 [thread overview]
Message-ID: <review-patch1-20260510201733.2882224-1-ashutoshdesai993@gmail.com> (raw)
In-Reply-To: <20260510201733.2882224-1-ashutoshdesai993@gmail.com>
Patch Review
**DPCD read fix (line 883):**
```c
- if (idx > raw->curlen)
+ if (idx + repmsg->u.remote_dpcd_read_ack.num_bytes > raw->curlen)
```
Correct. The old check only validated that `idx` (the position after reading `num_bytes` from the header) was within bounds. It did not account for the subsequent `memcpy` of `num_bytes` bytes starting at `idx`. Since `idx` is `int` (value ~3 at this point) and `num_bytes` is `u8` (max 255), the addition cannot overflow and the comparison against `u8 curlen` is safe.
**I2C read fix (lines 919-920):**
```c
- /* TODO check */
+ if (idx + repmsg->u.remote_i2c_read_ack.num_bytes > raw->curlen)
+ goto fail_len;
```
Correct. This resolves a longstanding TODO — the I2C read path had **no** bounds check at all before the `memcpy`. The fix mirrors the DPCD read fix and uses the same `fail_len` label pattern already present in the function.
**Boundary condition correctness:** The check `idx + num_bytes > curlen` is the right comparison. Valid message data occupies indices `0` through `curlen - 1`, so a copy of `num_bytes` starting at `idx` requires `idx + num_bytes <= curlen`. The `>` test correctly rejects violations.
**Minor observation:** The commit message's v2 changelog says "Drop separate `idx > curlen` check" — this accurately describes the DPCD read case where the old check was replaced (since `idx + num_bytes > curlen` with `u8 num_bytes >= 0` subsumes `idx > curlen`). For the I2C case there was nothing to drop (only the TODO comment), but the changelog is adequate.
**No issues found.** The patch is correct, minimal, and appropriate for `Cc: stable`.
---
Generated by Claude Code Patch Reviewer
next prev parent reply other threads:[~2026-05-16 6:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-10 20:17 [PATCH v2] drm/dp/mst: fix OOB reads in remote DPCD/I2C sideband reply parsers Ashutosh Desai
2026-05-16 6:07 ` Claude review: " Claude Code Review Bot
2026-05-16 6:07 ` Claude Code Review Bot [this message]
-- strict thread matches above, loose matches on Subject: below --
2026-04-10 3:41 [PATCH] " Ashutosh Desai
2026-04-12 0:33 ` Claude review: " Claude Code Review Bot
2026-04-12 0:33 ` Claude Code Review Bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=review-patch1-20260510201733.2882224-1-ashutoshdesai993@gmail.com \
--to=claude-review@example.com \
--cc=dri-devel-reviews@example.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox