From: Dan Carpenter <dan.carpenter@oracle.com>
To: yhchuang@realtek.com
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] rtw88: new Realtek 802.11ac driver
Date: Fri, 3 May 2019 23:12:02 +0300 [thread overview]
Message-ID: <20190503201202.GA26955@mwanda> (raw)
Hello Yan-Hsuan Chuang,
The patch e3037485c68e: "rtw88: new Realtek 802.11ac driver" from Apr
26, 2019, leads to the following static checker warning:
drivers/net/wireless/realtek/rtw88/efuse.c:78 rtw_dump_logical_efuse_map()
error: buffer overflow 'log_map' 768 <= 768
drivers/net/wireless/realtek/rtw88/efuse.c
38 static int rtw_dump_logical_efuse_map(struct rtw_dev *rtwdev, u8 *phy_map,
39 u8 *log_map)
40 {
41 u32 physical_size = rtwdev->efuse.physical_size;
42 u32 protect_size = rtwdev->efuse.protect_size;
43 u32 logical_size = rtwdev->efuse.logical_size;
44 u32 phy_idx, log_idx;
45 u8 hdr1, hdr2;
46 u8 blk_idx;
47 u8 word_en;
48 int i;
49
50 for (phy_idx = 0; phy_idx < physical_size - protect_size;) {
51 hdr1 = phy_map[phy_idx];
52 hdr2 = phy_map[phy_idx + 1];
53 if (invalid_efuse_header(hdr1, hdr2))
54 break;
55
56 if ((hdr1 & 0x1f) == 0xf) {
57 /* 2-byte header format */
58 blk_idx = get_efuse_blk_idx_2_byte(hdr1, hdr2);
59 word_en = hdr2 & 0xf;
60 phy_idx += 2;
61 } else {
62 /* 1-byte header format */
63 blk_idx = get_efuse_blk_idx_1_byte(hdr1);
64 word_en = hdr1 & 0xf;
65 phy_idx += 1;
66 }
67
68 for (i = 0; i < 4; i++) {
69 if (invalid_efuse_content(word_en, i))
70 continue;
71
72 log_idx = block_idx_to_logical_idx(blk_idx, i);
73 if (phy_idx + 1 > physical_size - protect_size ||
74 log_idx + 1 > logical_size)
^^^^^^^^^^^^^^^^^^^^^^^^^^
This is a false positive because we know that "log_idx + 1" is an odd
number and logical_size is even so they can't be equal... But I wonder
if it would make it more readable to change the > to >=?
The log_map[] array has logical_size elements. It's allocated in
rtw_parse_efuse_map().
75 return -EINVAL;
76
77 log_map[log_idx] = phy_map[phy_idx];
78 log_map[log_idx + 1] = phy_map[phy_idx + 1];
^^^^^^^^^^^^^^^^^^^
79 phy_idx += 2;
80 }
81 }
82 return 0;
regards,
dan carpenter
reply other threads:[~2019-05-03 20:12 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190503201202.GA26955@mwanda \
--to=dan.carpenter@oracle.com \
--cc=linux-wireless@vger.kernel.org \
--cc=yhchuang@realtek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.