linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* re: airo: clean up and clarify interrupt-time task handling
@ 2014-10-10 12:49 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2014-10-10 12:49 UTC (permalink / raw)
  To: dcbw; +Cc: linux-wireless

Hello Dan Williams,

The patch f55d4517ebdd: "airo: clean up and clarify interrupt-time
task handling" from Jan 24, 2009, leads to the following static
checker warning:

	drivers/net/wireless/airo.c:3373 airo_handle_rx()
	warn: XXX pointer math issue ('buffer' is a 2 byte pointer)

drivers/net/wireless/airo.c
  3282  static void airo_handle_rx(struct airo_info *ai)
  3283  {
  3284          struct sk_buff *skb = NULL;
  3285          __le16 fc, v, *buffer, tmpbuf[4];
  3286          u16 len, hdrlen = 0, gap, fid;
  3287          struct rx_hdr hdr;
  3288          int success = 0;
  3289  

[ snip ]

  3354          } else {
  3355                  MICBuffer micbuf;
  3356  
  3357                  bap_read(ai, buffer, ETH_ALEN * 2, BAP0);
  3358                  if (ai->micstats.enabled) {
  3359                          bap_read(ai, (__le16 *) &micbuf, sizeof (micbuf), BAP0);
  3360                          if (ntohs(micbuf.typelen) > 0x05DC)
  3361                                  bap_setup(ai, fid, 0x44, BAP0);
  3362                          else {
  3363                                  if (len <= sizeof (micbuf)) {
  3364                                          dev_kfree_skb_irq(skb);
  3365                                          goto done;
  3366                                  }
  3367  
  3368                                  len -= sizeof(micbuf);
  3369                                  skb_trim(skb, len + hdrlen);
  3370                          }
  3371                  }
  3372  
  3373                  bap_read(ai, buffer + ETH_ALEN, len, BAP0);
                                     ^^^^^^^^^^^^^^^^^
It's really unusual to use ETH_ALEN to represent 12 bytes.  Normally
it is a bug when people do that.  But looking at the context it be
intentional here...  It's not clear.

  3374                  if (decapsulate(ai, &micbuf, (etherHead*) buffer, len))
  3375                          dev_kfree_skb_irq (skb);
  3376                  else
  3377                          success = 1;
  3378          }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread
only message in thread, other threads:[~2014-10-10 12:50 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-10-10 12:49 airo: clean up and clarify interrupt-time task handling Dan Carpenter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).