Re: [PATCH v2 2/2] mac80211: Use flexible array in struct ieee80211_tim_ie

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Kees Cook <keescook@chromium.org>
To: Jeff Johnson <quic_jjohnson@quicinc.com>
Cc: "Christian Lamparter" <chunkeey@gmail.com>,
	kernel@quicinc.com, "Kalle Valo" <kvalo@kernel.org>,
	"Toke Høiland-Jørgensen" <toke@toke.dk>,
	"Christian Lamparter" <chunkeey@googlemail.com>,
	"Stanislaw Gruszka" <stf_xl@wp.pl>,
	"Helmut Schaa" <helmut.schaa@googlemail.com>,
	"Ping-Ke Shih" <pkshih@realtek.com>,
	"Johannes Berg" <johannes@sipsolutions.net>,
	"David S. Miller" <davem@davemloft.net>,
	"Eric Dumazet" <edumazet@google.com>,
	"Jakub Kicinski" <kuba@kernel.org>,
	"Paolo Abeni" <pabeni@redhat.com>,
	linux-wireless@vger.kernel.org, linux-kernel@vger.kernel.org,
	netdev@vger.kernel.org
Subject: Re: [PATCH v2 2/2] mac80211: Use flexible array in struct ieee80211_tim_ie
Date: Wed, 30 Aug 2023 15:31:10 -0700	[thread overview]
Message-ID: <202308301529.AC90A9EF98@keescook> (raw)
In-Reply-To: <9da7f41e-6d4a-452a-8042-0b09cad71bb8@quicinc.com>

On Wed, Aug 30, 2023 at 01:22:37PM -0700, Jeff Johnson wrote:
> On 8/30/2023 12:51 PM, Christian Lamparter wrote:
> > Hi,
> > 
> > On 8/29/23 15:29, Jeff Johnson wrote:
> > > Currently struct ieee80211_tim_ie defines:
> > >     u8 virtual_map[1];
> > > 
> > > Per the guidance in [1] change this to be a flexible array.
> > > 
> > > As a result of this change, adjust all related struct size tests to
> > > account for the fact that the sizeof(struct ieee80211_tim_ie) now
> > > accounts for the minimum size of the virtual_map.
> > > 
> > > [1] https://docs.kernel.org/process/deprecated.html#zero-length-and-one-element-arrays
> > > 
> > > Signed-off-by: Jeff Johnson <quic_jjohnson@quicinc.com>
> > > ---
> > > diff --git a/include/linux/ieee80211.h b/include/linux/ieee80211.h
> > > index bd2f6e19c357..4cdc2eb98f16 100644
> > > --- a/include/linux/ieee80211.h
> > > +++ b/include/linux/ieee80211.h
> > > @@ -961,7 +961,7 @@ struct ieee80211_tim_ie {
> > >       u8 dtim_period;
> > >       u8 bitmap_ctrl;
> > >       /* variable size: 1 - 251 bytes */
> > > -    u8 virtual_map[1];
> > > +    u8 virtual_map[];
> > >   } __packed;
> > 
> > 
> > Uhh, the 802.11 (my 2012 Version has this in) spec in
> > 8.4.2.7 TIM Element demands this to be 1 - 251 bytes.
> > And this is why there's a comment above... With your
> > change this could be confusing. Would it be possible
> > to fix that somehow? Like in a anonymous union/group
> > with a flexible array and a u8?
> 
> Adding Kees to the discussion for any advice. Yes, the virtual_map must
> contain at least one octet but may contain more than one. And to complicate
> matters, the information that tells us how many octets are actually present
> is found outside the struct; the TLV header that precedes the struct will
> contain the length of the struct, and hence the length of the bitmap is that
> size - 2 (the size of the dtim_period and bitmap_ctrl fields).

Bummer about the count variable being elsewhere, but we'll deal with
that later. :)

For the array declaration, though, yes, we can do a "minimum size 1" like
this:

	union {
		u8 required_byte;
		DECLARE_FLEX_ARRAY(u8, virtual_map);
	};

-- 
Kees Cook

next prev parent reply	other threads:[~2023-08-30 22:31 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-29 13:29 [PATCH v2 0/2] wifi: Fix struct ieee80211_tim_ie::virtual_map Jeff Johnson
2023-08-29 13:29 ` [PATCH v2 1/2] wifi: cw1200: Avoid processing an invalid TIM IE Jeff Johnson
2023-08-29 13:29 ` [PATCH v2 2/2] mac80211: Use flexible array in struct ieee80211_tim_ie Jeff Johnson
2023-08-30 19:51   ` Christian Lamparter
2023-08-30 20:22     ` Jeff Johnson
2023-08-30 22:31       ` Kees Cook [this message]
2024-05-14  4:51         ` Sam James
2024-05-14  5:49           ` Kees Cook
2023-08-30 20:24     ` Jeff Johnson

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202308301529.AC90A9EF98@keescook \
    --to=keescook@chromium.org \
    --cc=chunkeey@gmail.com \
    --cc=chunkeey@googlemail.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=helmut.schaa@googlemail.com \
    --cc=johannes@sipsolutions.net \
    --cc=kernel@quicinc.com \
    --cc=kuba@kernel.org \
    --cc=kvalo@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=pkshih@realtek.com \
    --cc=quic_jjohnson@quicinc.com \
    --cc=stf_xl@wp.pl \
    --cc=toke@toke.dk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.