re: [media] drivers:media:radio: wl128x: FM Driver Common sources

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: manjunatha_halli@ti.com
Cc: linux-media@vger.kernel.org
Subject: re: [media] drivers:media:radio: wl128x: FM Driver Common sources
Date: Fri, 13 Jul 2012 14:51:22 +0300	[thread overview]
Message-ID: <20120713115121.GA27595@elgon.mountain> (raw)

Hello Manjunatha Halli,

The patch e8454ff7b9a4: "[media] drivers:media:radio: wl128x: FM
Driver Common sources" from Jan 11, 2011, leads to the following
warning:
drivers/media/radio/wl128x/fmdrv_common.c:596 fm_irq_handle_flag_getcmd_resp()
	 error: untrusted 'fm_evt_hdr->dlen' is not capped properly

[ this is on my private Smatch stuff with too many false positives for
  general release ].

   584  static void fm_irq_handle_flag_getcmd_resp(struct fmdev *fmdev)
   585  {
   586          struct sk_buff *skb;
   587          struct fm_event_msg_hdr *fm_evt_hdr;
   588  
   589          if (check_cmdresp_status(fmdev, &skb))
   590                  return;
   591  
   592          fm_evt_hdr = (void *)skb->data;
   593  
   594          /* Skip header info and copy only response data */
   595          skb_pull(skb, sizeof(struct fm_event_msg_hdr));
   596          memcpy(&fmdev->irq_info.flag, skb->data, fm_evt_hdr->dlen);
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

   597  
   598          fmdev->irq_info.flag = be16_to_cpu(fmdev->irq_info.flag);
   599          fmdbg("irq: flag register(0x%x)\n", fmdev->irq_info.flag);
   600  
   601          /* Continue next function in interrupt handler table */
   602          fm_irq_call_stage(fmdev, FM_HW_MAL_FUNC_IDX);
   603  }

What are we copying here?  How do we know that ->dlen doesn't overflow
the buffer?  Why do we memcpy() and the overwrite part of the data on
the next line?

regards,
dan carpenter

next             reply	other threads:[~2012-07-13 11:51 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-07-13 11:51 Dan Carpenter [this message]
2012-07-13 18:17 ` [media] drivers:media:radio: wl128x: FM Driver Common sources halli manjunatha
2012-07-13 20:36   ` Dan Carpenter
2012-07-13 21:21     ` halli manjunatha

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20120713115121.GA27595@elgon.mountain \
    --to=dan.carpenter@oracle.com \
    --cc=linux-media@vger.kernel.org \
    --cc=manjunatha_halli@ti.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.