All of lore.kernel.org
 help / color / mirror / Atom feed
* [bug report] libertas: if_spi, driver for libertas GSPI devices
@ 2025-08-29  7:08 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2025-08-29  7:08 UTC (permalink / raw)
  To: libertas-dev, linux-wireless

Hello libertas devs,


Ancient commit d2b21f191753 ("libertas: if_spi, driver for libertas
GSPI devices") from Jan 9, 2009 (linux-next), leads to the following
Smatch static checker warning:

	drivers/net/wireless/marvell/libertas/if_spi.c:719 if_spi_c2h_cmd()
	error: '__memcpy()' 'priv->resp_buf[i]' copy overflow (2312 vs 2400)

drivers/net/wireless/marvell/libertas/if_spi.c
    670 static int if_spi_c2h_cmd(struct if_spi_card *card)
    671 {
    672         struct lbs_private *priv = card->priv;
    673         unsigned long flags;
    674         int err = 0;
    675         u16 len;
    676         u8 i;
    677 
    678         /*
    679          * We need a buffer big enough to handle whatever people send to
    680          * hw_host_to_card
    681          */
    682         BUILD_BUG_ON(IF_SPI_CMD_BUF_SIZE < LBS_CMD_BUFFER_SIZE);
    683         BUILD_BUG_ON(IF_SPI_CMD_BUF_SIZE < LBS_UPLD_SIZE);
    684 
    685         /*
    686          * It's just annoying if the buffer size isn't a multiple of 4, because
    687          * then we might have len < IF_SPI_CMD_BUF_SIZE but
    688          * ALIGN(len, 4) > IF_SPI_CMD_BUF_SIZE
    689          */
    690         BUILD_BUG_ON(IF_SPI_CMD_BUF_SIZE % 4 != 0);
    691 
    692         /* How many bytes are there to read? */
    693         err = spu_read_u16(card, IF_SPI_SCRATCH_2_REG, &len);
    694         if (err)
    695                 goto out;
    696         if (!len) {
    697                 netdev_err(priv->dev, "%s: error: card has no data for host\n",
    698                            __func__);
    699                 err = -EINVAL;
    700                 goto out;
    701         } else if (len > IF_SPI_CMD_BUF_SIZE) {
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^

The problem is that this is 2400 but ...

    702                 netdev_err(priv->dev,
    703                            "%s: error: response packet too large: %d bytes, but maximum is %d\n",
    704                            __func__, len, IF_SPI_CMD_BUF_SIZE);
    705                 err = -EINVAL;
    706                 goto out;
    707         }
    708 
    709         /* Read the data from the WLAN module into our command buffer */
    710         err = spu_read(card, IF_SPI_CMD_RDWRPORT_REG,
    711                                 card->cmd_buffer, ALIGN(len, 4));
    712         if (err)
    713                 goto out;
    714 
    715         spin_lock_irqsave(&priv->driver_lock, flags);
    716         i = (priv->resp_idx == 0) ? 1 : 0;
    717         BUG_ON(priv->resp_len[i]);
    718         priv->resp_len[i] = len;
--> 719         memcpy(priv->resp_buf[i], card->cmd_buffer, len);
                       ^^^^^^^^^^^^^^^^^

if len is more than LBS_UPLD_SIZE (2312) then it leads to a buffer
overflow here.

    720         lbs_notify_command_response(priv, i);
    721         spin_unlock_irqrestore(&priv->driver_lock, flags);
    722 
    723 out:
    724         if (err)
    725                 netdev_err(priv->dev, "%s: err=%d\n", __func__, err);
    726 
    727         return err;
    728 }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2025-08-29  7:08 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-29  7:08 [bug report] libertas: if_spi, driver for libertas GSPI devices Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.