From: Arend van Spriel <arend.vanspriel@broadcom.com>
To: Himanshu Jha <himanshujha199640@gmail.com>,
franky.lin@broadcom.com, hante.meuleman@broadcom.com,
chi-hsien.lin@cypress.com, wright.feng@cypress.com
Cc: kvalo@codeaurora.org, johannes.berg@intel.com,
linux-wireless@vger.kernel.org,
brcm80211-dev-list.pdl@broadcom.com,
brcm80211-dev-list@cypress.com, netdev@vger.kernel.org
Subject: Re: Passing uninitialised local variable
Date: Thu, 29 Mar 2018 23:14:29 +0200 [thread overview]
Message-ID: <5ABD5735.1050608@broadcom.com> (raw)
In-Reply-To: <20180328112014.GA11484@himanshu-Vostro-3559>
On 3/28/2018 1:20 PM, Himanshu Jha wrote:
> Hello everyone,
You added everyone, but me :-(
Not really a problem, but it would help if the driver name was mentioned
in the subject.
> I recently found that a local variable in passed uninitialised to the
> function at
>
> drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c:2950
>
> u32 var;
> err = brcmf_fil_iovar_int_get(ifp, "dtim_assoc", &var);
> if (err) {
> brcmf_err("wl dtim_assoc failed (%d)\n", err);
> goto update_bss_info_out;
> }
> dtim_period = (u8)var;
>
>
> Now, the brcmf_fil_iovar_int_get() is defined as:
>
> s32
> brcmf_fil_iovar_int_get(struct brcmf_if *ifp, char *name, u32 *data)
> {
> __le32 data_le = cpu_to_le32(*data);
> s32 err;
>
> err = brcmf_fil_iovar_data_get(ifp, name, &data_le, sizeof(data_le));
> if (err == 0)
> *data = le32_to_cpu(data_le);
> return err;
> }
>
> We can cleary see that 'var' in used uninitialised in the very first line
> which is an undefined behavior.
Why undefined? We copy some stack data and we do transfer that to the
device. However in this case the device does nothing with it and it is
simply overwritten by the response.
> So, what could be a possible fix for the above ?
>
> I'm not sure initialising 'var' to 0 would be the correct solution.
Coverity flagged this and probably still does. For this particular
instance setting var to '0' is fine. However, there are quite a few
other places. For some instances the data contains a selector value for
obtaining info from the device, which is what we copy in
brcmf_fil_iovar_int_get(). So maybe it would be best to have a separate
function for those, eg. brcmf_fil_iovar_int_selget() or so.
Regards,
Arend
next prev parent reply other threads:[~2018-03-29 21:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-28 11:20 Passing uninitialised local variable Himanshu Jha
2018-03-29 21:14 ` Arend van Spriel [this message]
2018-04-09 12:23 ` Petr Machata
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5ABD5735.1050608@broadcom.com \
--to=arend.vanspriel@broadcom.com \
--cc=brcm80211-dev-list.pdl@broadcom.com \
--cc=brcm80211-dev-list@cypress.com \
--cc=chi-hsien.lin@cypress.com \
--cc=franky.lin@broadcom.com \
--cc=hante.meuleman@broadcom.com \
--cc=himanshujha199640@gmail.com \
--cc=johannes.berg@intel.com \
--cc=kvalo@codeaurora.org \
--cc=linux-wireless@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=wright.feng@cypress.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).