All of lore.kernel.org
 help / color / mirror / Atom feed
* [bug report] wifi: mwifiex: add rgpower table loading support
@ 2025-09-05  8:02 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2025-09-05  8:02 UTC (permalink / raw)
  To: Stefan Kerkmann; +Cc: linux-wireless

Hello Stefan Kerkmann,

Commit 7b6f16a25806 ("wifi: mwifiex: add rgpower table loading
support") from Aug 4, 2025 (linux-next), leads to the following
(UNPUBLISHED) Smatch static checker warning:

	drivers/net/wireless/marvell/mwifiex/sta_cmd.c:1540 mwifiex_send_rgpower_table()
	warn: not copying enough bytes for '&hostcmd->len' (4 vs 2 bytes)

drivers/net/wireless/marvell/mwifiex/sta_cmd.c
    1509 int mwifiex_send_rgpower_table(struct mwifiex_private *priv, const u8 *data,
    1510                                 const size_t size)
    1511 {
    1512         int ret = 0;
    1513         bool start_raw = false;
    1514         u8 *ptr, *token, *pos = NULL;
    1515         u8 *_data __free(kfree) = NULL;
    1516         struct mwifiex_adapter *adapter = priv->adapter;
    1517         struct mwifiex_ds_misc_cmd *hostcmd __free(kfree) = NULL;
    1518 
    1519         hostcmd = kzalloc(sizeof(*hostcmd), GFP_KERNEL);
    1520         if (!hostcmd)
    1521                 return -ENOMEM;
    1522 
    1523         _data = kmemdup(data, size, GFP_KERNEL);
    1524         if (!_data)
    1525                 return -ENOMEM;
    1526 
    1527         pos = _data;
    1528         ptr = hostcmd->cmd;
    1529         while ((pos - _data) < size) {
    1530                 ret = mwifiex_rgpower_table_advance_to_content(&pos, _data, size);
    1531                 if (ret) {
    1532                         mwifiex_dbg(
    1533                                 adapter, ERROR,
    1534                                 "%s: failed to advance to content in rgpower table\n",
    1535                                 __func__);
    1536                         return ret;
    1537                 }
    1538 
    1539                 if (*pos == '}' && start_raw) {
--> 1540                         memcpy(&hostcmd->len, &hostcmd->cmd[2], sizeof(u16));

hostcmd->len is a u32.  Copying the length into the first two bytes is an
endian bug.  It won't work on big endian systems.

    1541                         ret = mwifiex_send_cmd(priv, 0, 0, 0, hostcmd, false);
    1542                         if (ret) {
    1543                                 mwifiex_dbg(adapter, ERROR,
    1544                                             "%s: failed to send hostcmd %d\n",
    1545                                             __func__, ret);
    1546                                 return ret;
    1547                         }
    1548 
    1549                         memset(hostcmd->cmd, 0, MWIFIEX_SIZE_OF_CMD_BUFFER);
    1550                         ptr = hostcmd->cmd;
    1551                         start_raw = false;
    1552                         pos++;
    1553                         continue;
    1554                 }
    1555 

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2025-09-05  8:02 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-09-05  8:02 [bug report] wifi: mwifiex: add rgpower table loading support Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.