From: Dan Carpenter <dan.carpenter@oracle.com>
To: pkshih@realtek.com
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] rtw89: add Realtek 802.11ax driver
Date: Fri, 12 Nov 2021 10:51:59 +0300 [thread overview]
Message-ID: <20211112075159.GA15433@kili> (raw)
Hello Ping-Ke Shih,
The patch e3ec7017f6a2: "rtw89: add Realtek 802.11ax driver" from Oct
11, 2021, leads to the following Smatch static checker warning:
drivers/net/wireless/realtek/rtw89/fw.c:1383 rtw89_fw_h2c_rf_reg()
error: buffer overflow 'info->rtw89_phy_config_rf_h2c' 3 <= 3
drivers/net/wireless/realtek/rtw89/phy.c
662 static int rtw89_phy_config_rf_reg_fw(struct rtw89_dev *rtwdev,
663 struct rtw89_fw_h2c_rf_reg_info *info)
664 {
665 u16 page = info->curr_idx / RTW89_H2C_RF_PAGE_SIZE;
666 u16 len = (info->curr_idx % RTW89_H2C_RF_PAGE_SIZE) * 4;
667 u8 i;
668 int ret = 0;
669
670 if (page > RTW89_H2C_RF_PAGE_NUM) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Lets assume "page == RTW89_H2C_RF_PAGE_NUM.
671 rtw89_warn(rtwdev,
672 "rf reg h2c total page num %d larger than %d (RTW89_H2C_RF_PAGE_NUM)\n",
673 page, RTW89_H2C_RF_PAGE_NUM);
674 return -EINVAL;
675 }
676
677 for (i = 0; i < page; i++) {
^^^^^^^^^
678 ret = rtw89_fw_h2c_rf_reg(rtwdev, info,
679 RTW89_H2C_RF_PAGE_SIZE * 4, i);
680 if (ret)
681 return ret;
682 }
683 ret = rtw89_fw_h2c_rf_reg(rtwdev, info, len, i);
^
So "i" is now RTW89_H2C_RF_PAGE_NUM and it leads to off by one out of
bounds error.
684 if (ret)
685 return ret;
686 info->curr_idx = 0;
687
688 return 0;
689 }
regards,
dan carpenter
next reply other threads:[~2021-11-12 7:52 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-11-12 7:51 Dan Carpenter [this message]
2021-11-15 7:33 ` [bug report] rtw89: add Realtek 802.11ax driver Pkshih
2021-11-19 6:01 ` Pkshih
-- strict thread matches above, loose matches on Subject: below --
2022-12-12 15:33 Dan Carpenter
2022-12-13 0:46 ` Ping-Ke Shih
2022-12-13 4:21 ` Dan Carpenter
2021-11-30 10:42 Dan Carpenter
2021-12-01 1:57 ` Pkshih
2021-11-08 14:47 Dan Carpenter
2021-11-09 1:04 ` Pkshih
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211112075159.GA15433@kili \
--to=dan.carpenter@oracle.com \
--cc=linux-wireless@vger.kernel.org \
--cc=pkshih@realtek.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).