From: Dan Carpenter <dan.carpenter@oracle.com>
To: arend@broadcom.com
Cc: linux-wireless@vger.kernel.org, brcm80211-dev-list@broadcom.com
Subject: re: brcm80211: use endian annotation for pmk related structure
Date: Fri, 31 Oct 2014 15:51:36 +0300 [thread overview]
Message-ID: <20141031125136.GA17467@mwanda> (raw)
Hello Arend van Spriel,
The patch 40c8e95af02d: "brcm80211: use endian annotation for pmk
related structure" from Oct 12, 2011, leads to the following static
checker warning:
drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c:2965 brcmf_cfg80211_set_pmksa()
warn: can 'pmkid_len' be negative?
drivers/net/wireless/brcm80211/brcmfmac/cfg80211.c
2950 brcmf_cfg80211_set_pmksa(struct wiphy *wiphy, struct net_device *ndev,
2951 struct cfg80211_pmksa *pmksa)
2952 {
2953 struct brcmf_cfg80211_info *cfg = wiphy_to_cfg(wiphy);
2954 struct brcmf_if *ifp = netdev_priv(ndev);
2955 struct pmkid_list *pmkids = &cfg->pmk_list->pmkids;
2956 s32 err = 0;
2957 int i;
2958 int pmkid_len;
2959
2960 brcmf_dbg(TRACE, "Enter\n");
2961 if (!check_vif_up(ifp->vif))
2962 return -EIO;
2963
2964 pmkid_len = le32_to_cpu(pmkids->npmkid);
The thinking behind this check is that endian data is less trust worthy
than cpu data. But probably this comes from the hardware so it's fine?
Anyway, let's assume pmkid_len = -1.
2965 for (i = 0; i < pmkid_len; i++)
2966 if (!memcmp(pmksa->bssid, pmkids->pmkid[i].BSSID, ETH_ALEN))
2967 break;
We don't enter this loop.
2968 if (i < WL_NUM_PMKIDS_MAX) {
Zero is less than WL_NUM_PMKIDS_MAX.
2969 memcpy(pmkids->pmkid[i].BSSID, pmksa->bssid, ETH_ALEN);
2970 memcpy(pmkids->pmkid[i].PMKID, pmksa->pmkid, WLAN_PMKID_LEN);
2971 if (i == pmkid_len) {
^^^^^^^^^^^^^^
This is false.
2972 pmkid_len++;
2973 pmkids->npmkid = cpu_to_le32(pmkid_len);
2974 }
2975 } else
2976 err = -EINVAL;
2977
2978 brcmf_dbg(CONN, "set_pmksa,IW_PMKSA_ADD - PMKID: %pM =\n",
2979 pmkids->pmkid[pmkid_len].BSSID);
^^^^^^^^^^^^^^^^^^^^^^^
Underflow.
2980 for (i = 0; i < WLAN_PMKID_LEN; i++)
2981 brcmf_dbg(CONN, "%02x\n", pmkids->pmkid[pmkid_len].PMKID[i]);
^^^^^^^^^^^^^^^^^^^^^^^^
Underflow.
2982
2983 err = brcmf_update_pmklist(ndev, cfg->pmk_list, err);
2984
2985 brcmf_dbg(TRACE, "Exit\n");
2986 return err;
2987 }
regards,
dan carpenter
next reply other threads:[~2014-10-31 12:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-10-31 12:51 Dan Carpenter [this message]
2014-10-31 14:18 ` brcm80211: use endian annotation for pmk related structure Arend van Spriel
2014-10-31 14:26 ` Dan Carpenter
2014-10-31 14:37 ` Arend van Spriel
2014-11-03 12:22 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20141031125136.GA17467@mwanda \
--to=dan.carpenter@oracle.com \
--cc=arend@broadcom.com \
--cc=brcm80211-dev-list@broadcom.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.