From: <Ajay.Kathat@microchip.com>
To: <dan.carpenter@linaro.org>
Cc: <linux-wireless@vger.kernel.org>
Subject: Re: [bug report] wilc1000: move wilc driver out of staging
Date: Fri, 29 Aug 2025 18:53:32 +0000 [thread overview]
Message-ID: <f629abce-47bf-45ce-82e0-a50f5fd7abc8@microchip.com> (raw)
In-Reply-To: <aLFbr9Yu9j_TQTey@stanley.mountain>
Hi Dan,
Thanks for pointing out this warning along with the analysis.
On 8/29/25 00:50, Dan Carpenter wrote:
> EXTERNAL EMAIL: Do not click links or open attachments unless you know the content is safe
>
> Hello Ajay Singh,
>
> [ Obviously this bug was in staging as well... ]
>
> Commit 5625f965d764 ("wilc1000: move wilc driver out of staging")
> from Jun 25, 2020 (linux-next), leads to the following Smatch static
> checker warning:
>
> drivers/net/wireless/microchip/wilc1000/wlan_cfg.c:184 wilc_wlan_parse_response_frame()
> error: '__memcpy()' 'cfg->s[i]->str' copy overflow (512 vs 65537)
>
> drivers/net/wireless/microchip/wilc1000/wlan_cfg.c
> 138 static void wilc_wlan_parse_response_frame(struct wilc *wl, u8 *info, int size)
> 139 {
> 140 u16 wid;
> 141 u32 len = 0, i = 0;
> 142 struct wilc_cfg *cfg = &wl->cfg;
> 143
> 144 while (size > 0) {
> 145 i = 0;
> 146 wid = get_unaligned_le16(info);
> 147
> 148 switch (FIELD_GET(WILC_WID_TYPE, wid)) {
> 149 case WID_CHAR:
> 150 while (cfg->b[i].id != WID_NIL && cfg->b[i].id != wid)
> 151 i++;
> 152
>
> This is the rx path and info comes from skb->data so it feels like we
> need more bounds checking.
>
> if (info < 5)
> return;
>
Agree, the read can go beyond the buffer limit so it's safe to add boundary
checks before accessing the 'info' buffer.
> 153 if (cfg->b[i].id == wid)
> 154 cfg->b[i].val = info[4];
> 155
> 156 len = 3;
> 157 break;
> 158
> 159 case WID_SHORT:
>
> if (info < 6)
> return;
>
> 160 while (cfg->hw[i].id != WID_NIL && cfg->hw[i].id != wid)
> 161 i++;
> 162
> 163 if (cfg->hw[i].id == wid)
> 164 cfg->hw[i].val = get_unaligned_le16(&info[4]);
> 165
> 166 len = 4;
> 167 break;
> 168
> 169 case WID_INT:
>
> if (info < 8)
> return;
>
> 170 while (cfg->w[i].id != WID_NIL && cfg->w[i].id != wid)
> 171 i++;
> 172
> 173 if (cfg->w[i].id == wid)
> 174 cfg->w[i].val = get_unaligned_le32(&info[4]);
> 175
> 176 len = 6;
> 177 break;
> 178
> 179 case WID_STR:
>
> How many bytes are there in cfg->s[i].str? Smatch thinks 512, but I
> don't know where Smatch is getting that...
>
> len = 2 + get_unaligned_le16(&info[2]);
> if (len + 2 > SOME_LIMIT)
> return;
I think Smatch got 512 value from the below macro.
#define WILC_MAX_ASSOC_RESP_FRAME_SIZE 512
Patch[1] has been submitted to address this warning. I hope this would resolve
the warning.
1.
https://lore.kernel.org/linux-wireless/20250829182241.45150-1-ajay.kathat@microchip.com/
Regards,
Ajay
prev parent reply other threads:[~2025-08-29 18:53 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-29 7:50 [bug report] wilc1000: move wilc driver out of staging Dan Carpenter
2025-08-29 18:53 ` Ajay.Kathat [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f629abce-47bf-45ce-82e0-a50f5fd7abc8@microchip.com \
--to=ajay.kathat@microchip.com \
--cc=dan.carpenter@linaro.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.