From: Dan Carpenter <dan.carpenter@linaro.org>
To: Ajay Singh <ajay.kathat@microchip.com>
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] wilc1000: move wilc driver out of staging
Date: Fri, 29 Aug 2025 10:50:07 +0300 [thread overview]
Message-ID: <aLFbr9Yu9j_TQTey@stanley.mountain> (raw)
Hello Ajay Singh,
[ Obviously this bug was in staging as well... ]
Commit 5625f965d764 ("wilc1000: move wilc driver out of staging")
from Jun 25, 2020 (linux-next), leads to the following Smatch static
checker warning:
drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame()
error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537)
drivers/net/wireless/microchip/wilc1000/wlan_cfg.c
138 static void wilc_wlan_parse_response_frame(struct wilc *wl, u8 *info, int size)
139 {
140 u16 wid;
141 u32 len = 0, i = 0;
142 struct wilc_cfg *cfg = &wl->cfg;
143
144 while (size > 0) {
145 i = 0;
146 wid = get_unaligned_le16(info);
147
148 switch (FIELD_GET(WILC_WID_TYPE, wid)) {
149 case WID_CHAR:
150 while (cfg->b[i].id != WID_NIL && cfg->b[i].id != wid)
151 i++;
152
This is the rx path and info comes from skb->data so it feels like we
need more bounds checking.
if (info < 5)
return;
153 if (cfg->b[i].id == wid)
154 cfg->b[i].val = info[4];
155
156 len = 3;
157 break;
158
159 case WID_SHORT:
if (info < 6)
return;
160 while (cfg->hw[i].id != WID_NIL && cfg->hw[i].id != wid)
161 i++;
162
163 if (cfg->hw[i].id == wid)
164 cfg->hw[i].val = get_unaligned_le16(&info[4]);
165
166 len = 4;
167 break;
168
169 case WID_INT:
if (info < 8)
return;
170 while (cfg->w[i].id != WID_NIL && cfg->w[i].id != wid)
171 i++;
172
173 if (cfg->w[i].id == wid)
174 cfg->w[i].val = get_unaligned_le32(&info[4]);
175
176 len = 6;
177 break;
178
179 case WID_STR:
How many bytes are there in cfg->s[i].str? Smatch thinks 512, but I
don't know where Smatch is getting that...
len = 2 + get_unaligned_le16(&info[2]);
if (len + 2 > SOME_LIMIT)
return;
180 while (cfg->s[i].id != WID_NIL && cfg->s[i].id != wid)
181 i++;
182
183 if (cfg->s[i].id == wid)
--> 184 memcpy(cfg->s[i].str, &info[2],
185 get_unaligned_le16(&info[2]) + 2);
186
187 len = 2 + get_unaligned_le16(&info[2]);
188 break;
189
190 default:
191 break;
192 }
193 size -= (2 + len);
194 info += (2 + len);
195 }
196 }
regards,
dan carpenter
next reply other threads:[~2025-08-29 7:50 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 7:50 Dan Carpenter [this message]
2025-08-29 18:53 ` [bug report] wilc1000: move wilc driver out of staging Ajay.Kathat
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aLFbr9Yu9j_TQTey@stanley.mountain \
--to=dan.carpenter@linaro.org \
--cc=ajay.kathat@microchip.com \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.