re: [PATCH] Check ieee80211softmac_auth_resp kmalloc result

re: [PATCH] Check ieee80211softmac_auth_resp kmalloc result

[Dan Carpenter]

Hello,

I've written a new kind of Smatch check that generates this warning:

	drivers/net/wireless/ipw2x00/libipw_rx.c:1303 libipw_parse_info_param()
	warn: potentially allocating too little.

drivers/net/wireless/ipw2x00/libipw_rx.c
  1300                  case WLAN_EID_IBSS_DFS:
  1301                          if (network->ibss_dfs)
  1302                                  break;
  1303                          network->ibss_dfs = kmemdup(info_element->data,
  1304                                                      info_element->len,

The problem is that smatch marks "info_element->len" as untrusted data
because it comes from skb->data.  "network->ibss_dfs" is a 9 character
struct.  We're not necessarily allocating enough space for that.

So far as I can see this is harmless because we never use ->ibss_dfs
and we should just delete it along with all the related code?

  1305                                                      GFP_ATOMIC);
  1306                          if (!network->ibss_dfs)
  1307                                  return 1;
  1308                          network->flags |= NETWORK_HAS_IBSS_DFS;
  1309                          break;

regards,
dan carpenter

Re: [PATCH] Check ieee80211softmac_auth_resp kmalloc result

[Stanislav Yakovlev]

Hello Dan,

> So far as I can see this is harmless because we never use ->ibss_dfs
> and we should just delete it along with all the related code?

Yes, you are right. This code is not used by ipw2x00 driver, so it can
be deleted. Will you send a patch?

Stanislav.