All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: herself@thefumon.com
Cc: linux-wireless@vger.kernel.org, ath5k-devel@venema.h4ckr.net
Subject: re: ath5k: added debugfs file for dumping eeprom
Date: Tue, 9 Sep 2014 12:38:02 +0300	[thread overview]
Message-ID: <20140909093802.GA10439@mwanda> (raw)

Hello Jade Bilkey,

The patch db906eb2101b: "ath5k: added debugfs file for dumping
eeprom" from Aug 30, 2014, leads to the following static checker
warning:

	drivers/net/wireless/ath/ath5k/debug.c:942 open_file_eeprom()
	error: buffer overflow 'buf' 2048 <= 4095

drivers/net/wireless/ath/ath5k/debug.c
   905  static int open_file_eeprom(struct inode *inode, struct file *file)
   906  {
   907          struct eeprom_private *ep;
   908          struct ath5k_hw *ah = inode->i_private;
   909          bool res;
   910          int i, ret;
   911          u32 eesize;
   912          u16 val, *buf;
                          ^^^
buf is type u16.

   913  
   914          /* Get eeprom size */
   915  
   916          res = ath5k_hw_nvram_read(ah, AR5K_EEPROM_SIZE_UPPER, &val);
   917          if (!res)
   918                  return -EACCES;
   919  
   920          if (val == 0) {
   921                  eesize = AR5K_EEPROM_INFO_MAX + AR5K_EEPROM_INFO_BASE;
   922          } else {
   923                  eesize = (val & AR5K_EEPROM_SIZE_UPPER_MASK) <<
   924                          AR5K_EEPROM_SIZE_ENDLOC_SHIFT;
   925                  ath5k_hw_nvram_read(ah, AR5K_EEPROM_SIZE_LOWER, &val);
   926                  eesize = eesize | val;
   927          }
   928  
   929          if (eesize > 4096)
   930                  return -EINVAL;
   931  
   932          /* Create buffer and read in eeprom */
   933  
   934          buf = vmalloc(eesize);
                              ^^^^^^
eesize is in bytes.

   935          if (!buf) {
   936                  ret = -ENOMEM;
   937                  goto err;
   938          }
   939  
   940          for (i = 0; i < eesize; ++i) {
   941                  AR5K_EEPROM_READ(i, val);
   942                  buf[i] = val;

We are writing u16 but the for loop limit is in terms of bytes so this
loop will corrupt memory past the end of the buffer.

   943          }
   944  

regards,
dan carpenter

                 reply	other threads:[~2014-09-09  9:38 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140909093802.GA10439@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=ath5k-devel@venema.h4ckr.net \
    --cc=herself@thefumon.com \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.