* [bug report] rtw88: new Realtek 802.11ac driver
@ 2019-05-03 20:12 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2019-05-03 20:12 UTC (permalink / raw)
To: yhchuang; +Cc: linux-wireless
Hello Yan-Hsuan Chuang,
The patch e3037485c68e: "rtw88: new Realtek 802.11ac driver" from Apr
26, 2019, leads to the following static checker warning:
drivers/net/wireless/realtek/rtw88/efuse.c:78 rtw_dump_logical_efuse_map()
error: buffer overflow 'log_map' 768 <= 768
drivers/net/wireless/realtek/rtw88/efuse.c
38 static int rtw_dump_logical_efuse_map(struct rtw_dev *rtwdev, u8 *phy_map,
39 u8 *log_map)
40 {
41 u32 physical_size = rtwdev->efuse.physical_size;
42 u32 protect_size = rtwdev->efuse.protect_size;
43 u32 logical_size = rtwdev->efuse.logical_size;
44 u32 phy_idx, log_idx;
45 u8 hdr1, hdr2;
46 u8 blk_idx;
47 u8 word_en;
48 int i;
49
50 for (phy_idx = 0; phy_idx < physical_size - protect_size;) {
51 hdr1 = phy_map[phy_idx];
52 hdr2 = phy_map[phy_idx + 1];
53 if (invalid_efuse_header(hdr1, hdr2))
54 break;
55
56 if ((hdr1 & 0x1f) == 0xf) {
57 /* 2-byte header format */
58 blk_idx = get_efuse_blk_idx_2_byte(hdr1, hdr2);
59 word_en = hdr2 & 0xf;
60 phy_idx += 2;
61 } else {
62 /* 1-byte header format */
63 blk_idx = get_efuse_blk_idx_1_byte(hdr1);
64 word_en = hdr1 & 0xf;
65 phy_idx += 1;
66 }
67
68 for (i = 0; i < 4; i++) {
69 if (invalid_efuse_content(word_en, i))
70 continue;
71
72 log_idx = block_idx_to_logical_idx(blk_idx, i);
73 if (phy_idx + 1 > physical_size - protect_size ||
74 log_idx + 1 > logical_size)
^^^^^^^^^^^^^^^^^^^^^^^^^^
This is a false positive because we know that "log_idx + 1" is an odd
number and logical_size is even so they can't be equal... But I wonder
if it would make it more readable to change the > to >=?
The log_map[] array has logical_size elements. It's allocated in
rtw_parse_efuse_map().
75 return -EINVAL;
76
77 log_map[log_idx] = phy_map[phy_idx];
78 log_map[log_idx + 1] = phy_map[phy_idx + 1];
^^^^^^^^^^^^^^^^^^^
79 phy_idx += 2;
80 }
81 }
82 return 0;
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2019-05-03 20:12 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-03 20:12 [bug report] rtw88: new Realtek 802.11ac driver Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.