From: Brian Norris <briannorris@chromium.org>
To: Dmitry Antipov <dmantipov@yandex.ru>
Cc: Christophe Jaillet <christophe.jaillet@wanadoo.fr>,
Kalle Valo <kvalo@kernel.org>,
linux-wireless@vger.kernel.org
Subject: Re: [PATCH 2/2] [v2] wifi: mwifiex: fix fortify warningg
Date: Wed, 21 Jun 2023 08:47:32 -0700 [thread overview]
Message-ID: <ZJMblMdEOQ6/ps2J@google.com> (raw)
In-Reply-To: <a1f55197-6138-68d0-9e4f-8e53840d5d90@yandex.ru>
On Wed, Jun 21, 2023 at 11:32:25AM +0300, Dmitry Antipov wrote:
> On 6/20/23 19:26, Brian Norris wrote:
>
> > This invocation seems a bit suspect, as it uses a 'sizeof' of a field
> > that doesn't match the actual pointer (it's off by 1 byte), but that's
> > not your fault. I suppose it's no wonder we had so many problems with
> > TDLS support on mwifiex...
>
> Hm, ieee80211_prep_tdls_direct() seems takes this byte into account.
Presumably it's part of the standard packet format. (I haven't
checked.) But in this case, we're talking about the firmware format that
Marvell firmware expects -- which isn't documented at all. Usually it's
at least related to the IEEE spec, but it isn't guaranteed to be laid
out exactly the same.
BTW, mwifiex doesn't actually use those ieee8021_*() functions for the
most part, because it's not a mac80211 driver.
> But
> do you know why 'u.action.u.tdls_discover_resp' is ended with a flexible
> array, e.g.:
>
> struct {
> u8 action_code;
> u8 dialog_token;
> __le16 capability;
> u8 variable[0];
> } __packed tdls_discover_resp;
Not without more guess-based investigation. My poking around this driver
is more often based on code reading and problem investigation, not based
on any private knowledge of the mwifiex firmware or hardware.
But my guess is that it's supposed to reflect the dynamic amount of
additional IEs appended to this frame, before the body -- such as what
is copied in mwifiex_tdls_append_rates_ie() (or
ieee80211_tdls_add_ies() if we're talking about a mac80211 driver?). The
field itself doesn't actually matter, because it isn't used in the
driver AFAICT.
Brian
next prev parent reply other threads:[~2023-06-21 15:47 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-20 10:07 [PATCH 1/2] [v2] wifi: mwifiex: avoid strlcpy() and use strscpy() where appropriate Dmitry Antipov
2023-06-20 10:07 ` [PATCH 2/2] [v2] wifi: mwifiex: fix fortify warning Dmitry Antipov
2023-06-20 16:26 ` [PATCH 2/2] [v2] wifi: mwifiex: fix fortify warningg Brian Norris
2023-06-21 8:32 ` Dmitry Antipov
2023-06-21 15:47 ` Brian Norris [this message]
2023-06-20 16:08 ` [PATCH 1/2] [v2] wifi: mwifiex: avoid strlcpy() and use strscpy() where appropriate Brian Norris
2023-06-21 8:08 ` Dmitry Antipov
2023-06-21 15:39 ` Brian Norris
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZJMblMdEOQ6/ps2J@google.com \
--to=briannorris@chromium.org \
--cc=christophe.jaillet@wanadoo.fr \
--cc=dmantipov@yandex.ru \
--cc=kvalo@kernel.org \
--cc=linux-wireless@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).