wli1271: buffer overflow static checker warning

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Luciano Coelho <luciano.coelho@intel.com>
Cc: linux-wireless@vger.kernel.org
Subject: wli1271: buffer overflow static checker warning
Date: Fri, 7 Nov 2014 13:05:43 +0300	[thread overview]
Message-ID: <20141107100543.GA16332@mwanda> (raw)

Hello Luciano Coelho,

The patch f5fc0f86b02a: "wl1271: add wl1271 driver files" from Aug 6,
2009, leads to the following static checker warning:

	drivers/net/wireless/ti/wlcore/cmd.c:894 wlcore_cmd_configure_failsafe()
	warn: is 'buf' large enough for 'struct acx_header'?

drivers/net/wireless/ti/wlcore/cmd.c
   886  int wlcore_cmd_configure_failsafe(struct wl1271 *wl, u16 id, void *buf,
   887                                    size_t len, unsigned long valid_rets)
   888  {
   889          struct acx_header *acx = buf;
   890          int ret;
   891  
   892          wl1271_debug(DEBUG_CMD, "cmd configure (%d)", id);
   893  
   894          acx->id = cpu_to_le16(id);

"len" is the size of the "buf" buffer.

The warning is because wl1271_tm_cmd_test() and friends check if
len is too large but they don't check if it's too small.

   895  
   896          /* payload length, does not include any headers */
   897          acx->len = cpu_to_le16(len - sizeof(*acx));
   898  
   899          ret = wlcore_cmd_send_failsafe(wl, CMD_CONFIGURE, acx, len, 0,
   900                                         valid_rets);
   901          if (ret < 0) {
   902                  wl1271_warning("CONFIGURE command NOK");
   903                  return ret;
   904          }
   905  
   906          return ret;
   907  }

See also:

	drivers/net/wireless/ti/wl1251/cmd.c:29 wl1251_cmd_send()
	warn: is 'buf' large enough for 'struct wl1251_cmd_header'?

regards,
dan carpenter

next             reply	other threads:[~2014-11-07 10:06 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-11-07 10:05 Dan Carpenter [this message]
2014-11-07 10:11 ` wli1271: buffer overflow static checker warning Luca Coelho
2014-11-10  7:25 ` [PATCH] wlcore: check minimum buffer size in some cmd_send functions Luca Coelho

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20141107100543.GA16332@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=linux-wireless@vger.kernel.org \
    --cc=luciano.coelho@intel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.