From: Dan Carpenter <dan.carpenter@linaro.org>
To: libertas-dev@lists.infradead.org, linux-wireless@vger.kernel.org
Subject: [bug report] libertas: if_spi, driver for libertas GSPI devices
Date: Fri, 29 Aug 2025 10:08:43 +0300 [thread overview]
Message-ID: <aLFR-5CzpMiaqB7P@stanley.mountain> (raw)
Hello libertas devs,
Ancient commit d2b21f191753 ("libertas: if_spi, driver for libertas
GSPI devices") from Jan 9, 2009 (linux-next), leads to the following
Smatch static checker warning:
drivers/net/wireless/marvell/libertas/if_spi.c:719 if_spi_c2h_cmd()
error: '__memcpy()' 'priv->resp_buf[i]' copy overflow (2312 vs 2400)
drivers/net/wireless/marvell/libertas/if_spi.c
670 static int if_spi_c2h_cmd(struct if_spi_card *card)
671 {
672 struct lbs_private *priv = card->priv;
673 unsigned long flags;
674 int err = 0;
675 u16 len;
676 u8 i;
677
678 /*
679 * We need a buffer big enough to handle whatever people send to
680 * hw_host_to_card
681 */
682 BUILD_BUG_ON(IF_SPI_CMD_BUF_SIZE < LBS_CMD_BUFFER_SIZE);
683 BUILD_BUG_ON(IF_SPI_CMD_BUF_SIZE < LBS_UPLD_SIZE);
684
685 /*
686 * It's just annoying if the buffer size isn't a multiple of 4, because
687 * then we might have len < IF_SPI_CMD_BUF_SIZE but
688 * ALIGN(len, 4) > IF_SPI_CMD_BUF_SIZE
689 */
690 BUILD_BUG_ON(IF_SPI_CMD_BUF_SIZE % 4 != 0);
691
692 /* How many bytes are there to read? */
693 err = spu_read_u16(card, IF_SPI_SCRATCH_2_REG, &len);
694 if (err)
695 goto out;
696 if (!len) {
697 netdev_err(priv->dev, "%s: error: card has no data for host\n",
698 __func__);
699 err = -EINVAL;
700 goto out;
701 } else if (len > IF_SPI_CMD_BUF_SIZE) {
^^^^^^^^^^^^^^^^^^^^^^^^^^
The problem is that this is 2400 but ...
702 netdev_err(priv->dev,
703 "%s: error: response packet too large: %d bytes, but maximum is %d\n",
704 __func__, len, IF_SPI_CMD_BUF_SIZE);
705 err = -EINVAL;
706 goto out;
707 }
708
709 /* Read the data from the WLAN module into our command buffer */
710 err = spu_read(card, IF_SPI_CMD_RDWRPORT_REG,
711 card->cmd_buffer, ALIGN(len, 4));
712 if (err)
713 goto out;
714
715 spin_lock_irqsave(&priv->driver_lock, flags);
716 i = (priv->resp_idx == 0) ? 1 : 0;
717 BUG_ON(priv->resp_len[i]);
718 priv->resp_len[i] = len;
--> 719 memcpy(priv->resp_buf[i], card->cmd_buffer, len);
^^^^^^^^^^^^^^^^^
if len is more than LBS_UPLD_SIZE (2312) then it leads to a buffer
overflow here.
720 lbs_notify_command_response(priv, i);
721 spin_unlock_irqrestore(&priv->driver_lock, flags);
722
723 out:
724 if (err)
725 netdev_err(priv->dev, "%s: err=%d\n", __func__, err);
726
727 return err;
728 }
regards,
dan carpenter
reply other threads:[~2025-08-29 7:08 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aLFR-5CzpMiaqB7P@stanley.mountain \
--to=dan.carpenter@linaro.org \
--cc=libertas-dev@lists.infradead.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.