Re: [PATCH] staging: wilc100: Remove pointer and integer comparision

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: Chandra S Gorentla <csgorentla@gmail.com>
Cc: gregkh@linuxfoundation.org, rachel.kim@atmel.com,
	dean.lee@atmel.com, chris.park@atmel.com,
	devel@driverdev.osuosl.org, linux-wireless@vger.kernel.org,
	johnny.kim@atmel.com, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] staging: wilc100: Remove pointer and integer comparision
Date: Mon, 10 Aug 2015 12:39:43 +0300	[thread overview]
Message-ID: <20150810093943.GI5180@mwanda> (raw)
In-Reply-To: <1439133602-9654-1-git-send-email-csgorentla@gmail.com>

On Sun, Aug 09, 2015 at 08:50:02PM +0530, Chandra S Gorentla wrote:
> Removed pointer check with integer; this fixes 'sparse' error -
> error: incompatible types for operation (>)
>    left side has type unsigned char [usertype] *[usertype] pu8Tail
>    right side has type int
> 
> Signed-off-by: Chandra S Gorentla <csgorentla@gmail.com>
> ---
>  drivers/staging/wilc1000/host_interface.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/drivers/staging/wilc1000/host_interface.c b/drivers/staging/wilc1000/host_interface.c
> index cc549c2..4ba1ad7 100644
> --- a/drivers/staging/wilc1000/host_interface.c
> +++ b/drivers/staging/wilc1000/host_interface.c
> @@ -3471,7 +3471,7 @@ static void Handle_AddBeacon(void *drvHandler, tstrHostIFSetBeacon *pstrSetBeaco
>  	*pu8CurrByte++ = ((pstrSetBeaconParam->u32TailLen >> 24) & 0xFF);
>  
>  	/* Bug 4599 : if tail length = 0 skip copying */
> -	if (pstrSetBeaconParam->pu8Tail > 0)
> +	if (pstrSetBeaconParam->pu8Tail != NULL)
>  		memcpy(pu8CurrByte, pstrSetBeaconParam->pu8Tail, pstrSetBeaconParam->u32TailLen);
>  	pu8CurrByte += pstrSetBeaconParam->u32TailLen;

Warnings are a precious thing, because they show you where people are
lost.  It's better to take a broader look at the code instead of *just*
silencing the warning.

For example, the comment is nonsense.  memcpy(anything, anything, 0);
is a no-op so it already would skip copying in that case.  I wonder what
bug 4599 actually means...

Also the next line is quite suspect.  Even though we don't copy then we
are still incrementing the pu8CurrByte count?  That seems wrong.

So now let's consider if the memcpy() is correct.  pu8CurrByte is
allocated at the start of the function.  It should have space for
->u32TailLen bytes, except for they seem to have forgotten about integer
overflow.  I think ->u32TailLen is not trusted data so this could be a
security bug.  Maybe you could exploit it by setting ->u32HeadLen to the
amount of memory you want to corrupt.  Set ->u32TailLen to a high
number so it triggers an integer overflow.  Set >pu8Tail to NULL so it
is doesn't just corrupt everything (DoS attack instead of privilege
escalation).

I have just looked at the code so I don't know if this is true, but this
is how I read that warning.

regards,
dan carpenter

next prev parent reply	other threads:[~2015-08-10  9:40 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-08-09 15:20 [PATCH] staging: wilc100: Remove pointer and integer comparision Chandra S Gorentla
2015-08-10  9:39 ` Dan Carpenter [this message]
2015-08-10 15:29   ` Chandra Gorentla
2015-08-10 16:27     ` Dan Carpenter
2015-08-10 17:40       ` Chandra Gorentla
2015-08-10 18:38         ` Dan Carpenter
2015-08-11 15:07           ` Chandra Gorentla

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20150810093943.GI5180@mwanda \
    --to=dan.carpenter@oracle.com \
    --cc=chris.park@atmel.com \
    --cc=csgorentla@gmail.com \
    --cc=dean.lee@atmel.com \
    --cc=devel@driverdev.osuosl.org \
    --cc=gregkh@linuxfoundation.org \
    --cc=johnny.kim@atmel.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wireless@vger.kernel.org \
    --cc=rachel.kim@atmel.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).