* [bug report] net: ethernet: mtk_wed: introduce wed mcu support
@ 2023-02-01 13:37 Dan Carpenter
0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2023-02-01 13:37 UTC (permalink / raw)
To: sujuan.chen; +Cc: linux-mediatek, Masami Ichikawa, cip-dev
Hello Sujuan Chen,
The patch cc514101a97e: "net: ethernet: mtk_wed: introduce wed mcu
support" from Nov 5, 2022, leads to the following Smatch static
checker warning:
drivers/net/ethernet/mediatek/mtk_wed_mcu.c:82 mtk_wed_update_rx_stats()
warn: uncapped user loop index 'i'
drivers/net/ethernet/mediatek/mtk_wed_mcu.c
64 static void
65 mtk_wed_update_rx_stats(struct mtk_wed_device *wed, struct sk_buff *skb)
66 {
67 u32 count = get_unaligned_le32(skb->data);
68 struct mtk_wed_wo_rx_stats *stats;
69 int i;
70
71 if (count * sizeof(*stats) > skb->len - sizeof(u32))
72 return;
There are two issues.
Bug 1: There is no check that skb->len >= sizeof(u32) so the
get_unaligned_le32(skb->data); can result in an out of bounds read and
the bounds check on count is not effective.
Bug 2: On a 32bit system the "count * sizeof(*stats)" multiplication can
have an integer overflow bug. Suggestion:
if (size_mul(count, sizeof(*stats)) > skb->len - sizeof(u32))
return;
73
74 stats = (struct mtk_wed_wo_rx_stats *)(skb->data + sizeof(u32));
75 for (i = 0 ; i < count ; i++)
--> 76 wed->wlan.update_wo_rx_stats(wed, &stats[i]);
77 }
regards,
dan carpenter
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2023-02-01 13:43 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-02-01 13:37 [bug report] net: ethernet: mtk_wed: introduce wed mcu support Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.