All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dan Carpenter <dan.carpenter@oracle.com>
To: huxm@marvell.com
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] mwifiex: add rx histogram statistics support
Date: Thu, 17 May 2018 12:27:07 +0300	[thread overview]
Message-ID: <20180517092707.GA5900@mwanda> (raw)

Hello Xinming Hu,

The patch cbf6e05527a7: "mwifiex: add rx histogram statistics
support" from Dec 23, 2014, leads to the following static checker
warning:

	drivers/net/wireless/marvell/mwifiex/util.c:714 mwifiex_hist_data_set()
	error: buffer underflow 'phist_data->snr' '(-128)-127'

drivers/net/wireless/marvell/mwifiex/util.c
   706  /* function to add histogram record */
   707  void mwifiex_hist_data_set(struct mwifiex_private *priv, u8 rx_rate, s8 snr,
                                                                             ^^^^^^
   708                             s8 nflr)
   709  {
   710          struct mwifiex_histogram_data *phist_data = priv->hist_data;
   711  
   712          atomic_inc(&phist_data->num_samples);
   713          atomic_inc(&phist_data->rx_rate[rx_rate]);
   714          atomic_inc(&phist_data->snr[snr]);
   715          atomic_inc(&phist_data->noise_flr[128 + nflr]);
   716          atomic_inc(&phist_data->sig_str[nflr - snr]);

Smatch complains that "snr" comes from skb->data so it's untrusted and
it can be less than zero and underflow the ->snr array.

->snr, ->noise_flr and ->sig_str all have 256 elements.  Obviously it
seems like "snr" should be declared as a u8 instead of an s8.  But I'm
not totally sure what to do about the ->noise_flr and ->sig_str[]
arrays.

   717  }

regards,
dan carpenter

             reply	other threads:[~2018-05-17  9:27 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-05-17  9:27 Dan Carpenter [this message]
2018-05-18  7:42 ` [bug report] mwifiex: add rx histogram statistics support Xinming Hu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20180517092707.GA5900@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=huxm@marvell.com \
    --cc=linux-wireless@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.