From: Dan Carpenter <dan.carpenter@oracle.com>
To: luciano.coelho@intel.com
Cc: linux-wireless@vger.kernel.org
Subject: [bug report] iwlwifi: support REDUCE_TX_POWER_CMD version 6
Date: Thu, 3 Dec 2020 12:08:27 +0300 [thread overview]
Message-ID: <X8irC3FP0QDE9QFe@mwanda> (raw)
Hello Luca Coelho,
The patch fbb7957d28ac: "iwlwifi: support REDUCE_TX_POWER_CMD version
6" from Sep 28, 2020, leads to the following static checker warning:
drivers/net/wireless/intel/iwlwifi/fw/acpi.c:462 iwl_sar_fill_table()
error: buffer overflow 'prof->table' 10 <= 15
drivers/net/wireless/intel/iwlwifi/fw/acpi.c
422 static int iwl_sar_fill_table(struct iwl_fw_runtime *fwrt,
423 __le16 *per_chain, u32 n_subbands,
424 int prof_a, int prof_b)
Original n_subbands was ACPI_SAR_NUM_SUB_BANDS (5) but now it can be
IWL_NUM_SUB_BANDS_V2 (11) as well.
425 {
426 int profs[ACPI_SAR_NUM_CHAIN_LIMITS] = { prof_a, prof_b };
427 int i, j, idx;
428
429 for (i = 0; i < ACPI_SAR_NUM_CHAIN_LIMITS; i++) {
430 struct iwl_sar_profile *prof;
431
432 /* don't allow SAR to be disabled (profile 0 means disable) */
433 if (profs[i] == 0)
434 return -EPERM;
435
436 /* we are off by one, so allow up to ACPI_SAR_PROFILE_NUM */
437 if (profs[i] > ACPI_SAR_PROFILE_NUM)
438 return -EINVAL;
439
440 /* profiles go from 1 to 4, so decrement to access the array */
441 prof = &fwrt->sar_profiles[profs[i] - 1];
442
443 /* if the profile is disabled, do nothing */
444 if (!prof->enabled) {
445 IWL_DEBUG_RADIO(fwrt, "SAR profile %d is disabled.\n",
446 profs[i]);
447 /*
448 * if one of the profiles is disabled, we
449 * ignore all of them and return 1 to
450 * differentiate disabled from other failures.
451 */
452 return 1;
453 }
454
455 IWL_DEBUG_INFO(fwrt,
456 "SAR EWRD: chain %d profile index %d\n",
457 i, profs[i]);
458 IWL_DEBUG_RADIO(fwrt, " Chain[%d]:\n", i);
459 for (j = 0; j < n_subbands; j++) {
460 idx = i * ACPI_SAR_NUM_SUB_BANDS + j;
461 per_chain[i * n_subbands + j] =
462 cpu_to_le16(prof->table[idx]);
^^^^^^^^^^^^^^^^
But this table size wasn't increased so potentially we're reading beyond
the end of the array?
463 IWL_DEBUG_RADIO(fwrt, " Band[%d] = %d * .125dBm\n",
464 j, prof->table[idx]);
^^^^^^^^^^^^^^^^
465 }
466 }
468 return 0;
469 }
regards,
dan carpenter
next reply other threads:[~2020-12-03 9:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-12-03 9:08 Dan Carpenter [this message]
2021-06-02 21:12 ` [bug report] iwlwifi: support REDUCE_TX_POWER_CMD version 6 Brian Norris
2021-06-08 13:05 ` Coelho, Luciano
2021-06-08 13:04 ` Coelho, Luciano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=X8irC3FP0QDE9QFe@mwanda \
--to=dan.carpenter@oracle.com \
--cc=linux-wireless@vger.kernel.org \
--cc=luciano.coelho@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox