All of lore.kernel.org
 help / color / mirror / Atom feed
* re: ath5k: added debugfs file for dumping eeprom
@ 2014-09-09  9:38 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2014-09-09  9:38 UTC (permalink / raw)
  To: herself; +Cc: linux-wireless, ath5k-devel

Hello Jade Bilkey,

The patch db906eb2101b: "ath5k: added debugfs file for dumping
eeprom" from Aug 30, 2014, leads to the following static checker
warning:

	drivers/net/wireless/ath/ath5k/debug.c:942 open_file_eeprom()
	error: buffer overflow 'buf' 2048 <= 4095

drivers/net/wireless/ath/ath5k/debug.c
   905  static int open_file_eeprom(struct inode *inode, struct file *file)
   906  {
   907          struct eeprom_private *ep;
   908          struct ath5k_hw *ah = inode->i_private;
   909          bool res;
   910          int i, ret;
   911          u32 eesize;
   912          u16 val, *buf;
                          ^^^
buf is type u16.

   913  
   914          /* Get eeprom size */
   915  
   916          res = ath5k_hw_nvram_read(ah, AR5K_EEPROM_SIZE_UPPER, &val);
   917          if (!res)
   918                  return -EACCES;
   919  
   920          if (val == 0) {
   921                  eesize = AR5K_EEPROM_INFO_MAX + AR5K_EEPROM_INFO_BASE;
   922          } else {
   923                  eesize = (val & AR5K_EEPROM_SIZE_UPPER_MASK) <<
   924                          AR5K_EEPROM_SIZE_ENDLOC_SHIFT;
   925                  ath5k_hw_nvram_read(ah, AR5K_EEPROM_SIZE_LOWER, &val);
   926                  eesize = eesize | val;
   927          }
   928  
   929          if (eesize > 4096)
   930                  return -EINVAL;
   931  
   932          /* Create buffer and read in eeprom */
   933  
   934          buf = vmalloc(eesize);
                              ^^^^^^
eesize is in bytes.

   935          if (!buf) {
   936                  ret = -ENOMEM;
   937                  goto err;
   938          }
   939  
   940          for (i = 0; i < eesize; ++i) {
   941                  AR5K_EEPROM_READ(i, val);
   942                  buf[i] = val;

We are writing u16 but the for loop limit is in terms of bytes so this
loop will corrupt memory past the end of the buffer.

   943          }
   944  

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2014-09-09  9:38 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-09-09  9:38 ath5k: added debugfs file for dumping eeprom Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.