All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: kvalo@qca.qualcomm.com
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] Add ath6kl cleaned up driver
Date: Wed, 2 May 2018 15:59:08 +0300	[thread overview]
Message-ID: <20180502125908.GA25881@mwanda> (raw)

Hello Kalle Valo,

The patch bdcd81707973: "Add ath6kl cleaned up driver" from Jul 18,
2011, leads to the following static checker warning:

	drivers/net/wireless/ath/ath6kl/wmi.c:1189 ath6kl_wmi_pstream_timeout_event_rx()
	error: buffer overflow 'wmi->stream_exist_for_ac' 4 <= 255 user_rl='0-255'

drivers/net/wireless/ath/ath6kl/wmi.c
  1171  /* Inactivity timeout of a fatpipe(pstream) at the target */
  1172  static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap,
  1173                                                 int len)
  1174  {
  1175          struct wmi_pstream_timeout_event *ev;
  1176  
  1177          if (len < sizeof(struct wmi_pstream_timeout_event))
  1178                  return -EINVAL;
  1179  
  1180          ev = (struct wmi_pstream_timeout_event *) datap;
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Smatch distrusts "datap" because it comes from skb->data on the recieve
path.

  1181  
  1182          /*
  1183           * When the pstream (fat pipe == AC) timesout, it means there were
  1184           * no thinStreams within this pstream & it got implicitly created
  1185           * due to data flow on this AC. We start the inactivity timer only
  1186           * for implicitly created pstream. Just reset the host state.
  1187           */
  1188          spin_lock_bh(&wmi->lock);
  1189          wmi->stream_exist_for_ac[ev->traffic_class] = 0;
                                         ^^^^^^^^^^^^^^^^^
How do we know it's less than 4?

  1190          wmi->fat_pipe_exist &= ~(1 << ev->traffic_class);
  1191          spin_unlock_bh(&wmi->lock);
  1192  
  1193          /* Indicate inactivity to driver layer for this fatpipe (pstream) */
  1194          ath6kl_indicate_tx_activity(wmi->parent_dev, ev->traffic_class, false);
  1195  
  1196          return 0;
  1197  }

regards,
dan carpenter

                 reply	other threads:[~2018-05-02 12:59 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180502125908.GA25881@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=kvalo@qca.qualcomm.com \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.