[PATCH rtw-next] wifi: rtw89: fw: cast mfw_hdr pointer from address of zeroth byte of firmware->data

linux-wireless.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH rtw-next] wifi: rtw89: fw: cast mfw_hdr pointer from address of zeroth byte of firmware->data
@ 2025-03-25  2:54 Ping-Ke Shih
  2025-03-31  6:08 ` Ping-Ke Shih
  0 siblings, 1 reply; 2+ messages in thread
From: Ping-Ke Shih @ 2025-03-25  2:54 UTC (permalink / raw)
  To: linux-wireless

The firmware->size is validated before using firmware->data, but Coverity
still reports:
  Downcasting "firmware->data" from "u8 const *" to "struct rtw89_mfw_hdr"
  implies that the data that this pointer points to is tainted."

Using &firmware->data[0] to avoid the warning. No change logic at all.

Addresses-Coverity-ID: 1494046 ("Untrusted loop bound")
Addresses-Coverity-ID: 1544385 ("Untrusted array index read")

Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
---
 drivers/net/wireless/realtek/rtw89/fw.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/realtek/rtw89/fw.c b/drivers/net/wireless/realtek/rtw89/fw.c
index 8643b17866f8..c1d1e9ec08db 100644
--- a/drivers/net/wireless/realtek/rtw89/fw.c
+++ b/drivers/net/wireless/realtek/rtw89/fw.c
@@ -554,7 +554,7 @@ const struct rtw89_mfw_hdr *rtw89_mfw_get_hdr_ptr(struct rtw89_dev *rtwdev,
 	if (sizeof(*mfw_hdr) > firmware->size)
 		return NULL;
 
-	mfw_hdr = (const struct rtw89_mfw_hdr *)firmware->data;
+	mfw_hdr = (const struct rtw89_mfw_hdr *)&firmware->data[0];
 
 	if (mfw_hdr->sig != RTW89_MFW_SIG)
 		return NULL;
-- 
2.25.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH rtw-next] wifi: rtw89: fw: cast mfw_hdr pointer from address of zeroth byte of firmware->data
  2025-03-25  2:54 [PATCH rtw-next] wifi: rtw89: fw: cast mfw_hdr pointer from address of zeroth byte of firmware->data Ping-Ke Shih
@ 2025-03-31  6:08 ` Ping-Ke Shih
  0 siblings, 0 replies; 2+ messages in thread
From: Ping-Ke Shih @ 2025-03-31  6:08 UTC (permalink / raw)
  To: Ping-Ke Shih, linux-wireless

Ping-Ke Shih <pkshih@realtek.com> wrote:

> The firmware->size is validated before using firmware->data, but Coverity
> still reports:
>   Downcasting "firmware->data" from "u8 const *" to "struct rtw89_mfw_hdr"
>   implies that the data that this pointer points to is tainted."
> 
> Using &firmware->data[0] to avoid the warning. No change logic at all.
> 
> Addresses-Coverity-ID: 1494046 ("Untrusted loop bound")
> Addresses-Coverity-ID: 1544385 ("Untrusted array index read")
> 
> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>

1 patch(es) applied to rtw-next branch of rtw.git, thanks.

bc1265b5c982 wifi: rtw89: fw: cast mfw_hdr pointer from address of zeroth byte of firmware->data

---
https://github.com/pkshih/rtw.git


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2025-03-31  6:08 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-25  2:54 [PATCH rtw-next] wifi: rtw89: fw: cast mfw_hdr pointer from address of zeroth byte of firmware->data Ping-Ke Shih
2025-03-31  6:08 ` Ping-Ke Shih

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).