From: Dan Carpenter <dan.carpenter@oracle.com>
To: akarwar@marvell.com
Cc: kernel-janitors@vger.kernel.org, linux-wireless@vger.kernel.org,
Nishant Sarmukadam <nishants@marvell.com>
Subject: [bug report] mwifiex: do le_to_cpu conversion for Rx packet header elements
Date: Wed, 2 May 2018 15:49:03 +0300 [thread overview]
Message-ID: <20180502124903.GA24880@mwanda> (raw)
Hello Amitkumar Karwar,
The patch ed1ea6f42ece: "mwifiex: do le_to_cpu conversion for Rx
packet header elements" from Aug 3, 2012, leads to the following
static checker warning:
drivers/net/wireless/marvell/mwifiex/sta_rx.c:251 mwifiex_process_sta_rx_packet()
error: buffer overflow 'priv->rx_seq' 8 <= 255 user_rl='0-255'
drivers/net/wireless/marvell/mwifiex/sta_rx.c
187 int mwifiex_process_sta_rx_packet(struct mwifiex_private *priv,
188 struct sk_buff *skb)
189 {
190 struct mwifiex_adapter *adapter = priv->adapter;
191 int ret = 0;
192 struct rxpd *local_rx_pd;
193 struct rx_packet_hdr *rx_pkt_hdr;
194 u8 ta[ETH_ALEN];
195 u16 rx_pkt_type, rx_pkt_offset, rx_pkt_length, seq_num;
196 struct mwifiex_sta_node *sta_ptr;
197
198 local_rx_pd = (struct rxpd *) (skb->data);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Smatch distructs skb->data like the plague.
199 rx_pkt_type = le16_to_cpu(local_rx_pd->rx_pkt_type);
200 rx_pkt_offset = le16_to_cpu(local_rx_pd->rx_pkt_offset);
201 rx_pkt_length = le16_to_cpu(local_rx_pd->rx_pkt_length);
202 seq_num = le16_to_cpu(local_rx_pd->seq_num);
203
204 rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_offset;
205
206 if ((rx_pkt_offset + rx_pkt_length) > (u16) skb->len) {
207 mwifiex_dbg(adapter, ERROR,
208 "wrong rx packet: len=%d, rx_pkt_offset=%d, rx_pkt_length=%d\n",
209 skb->len, rx_pkt_offset, rx_pkt_length);
210 priv->stats.rx_dropped++;
211 dev_kfree_skb_any(skb);
212 return ret;
213 }
214
215 if (rx_pkt_type == PKT_TYPE_MGMT) {
216 ret = mwifiex_process_mgmt_packet(priv, skb);
217 if (ret)
218 mwifiex_dbg(adapter, DATA, "Rx of mgmt packet failed");
219 dev_kfree_skb_any(skb);
220 return ret;
221 }
222
223 /*
224 * If the packet is not an unicast packet then send the packet
225 * directly to os. Don't pass thru rx reordering
226 */
227 if ((!IS_11N_ENABLED(priv) &&
228 !(ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
229 !(local_rx_pd->flags & MWIFIEX_RXPD_FLAGS_TDLS_PACKET))) ||
230 !ether_addr_equal_unaligned(priv->curr_addr, rx_pkt_hdr->eth803_hdr.h_dest)) {
231 mwifiex_process_rx_packet(priv, skb);
232 return ret;
233 }
234
235 if (mwifiex_queuing_ra_based(priv) ||
236 (ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
237 local_rx_pd->flags & MWIFIEX_RXPD_FLAGS_TDLS_PACKET)) {
238 memcpy(ta, rx_pkt_hdr->eth803_hdr.h_source, ETH_ALEN);
239 if (local_rx_pd->flags & MWIFIEX_RXPD_FLAGS_TDLS_PACKET &&
240 local_rx_pd->priority < MAX_NUM_TID) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We check ->priority here.
241 sta_ptr = mwifiex_get_sta_entry(priv, ta);
242 if (sta_ptr)
243 sta_ptr->rx_seq[local_rx_pd->priority] =
244 le16_to_cpu(local_rx_pd->seq_num);
245 mwifiex_auto_tdls_update_peer_signal(priv, ta,
246 local_rx_pd->snr,
247 local_rx_pd->nf);
248 }
249 } else {
250 if (rx_pkt_type != PKT_TYPE_BAR)
251 priv->rx_seq[local_rx_pd->priority] = seq_num;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
But not on this path.
252 memcpy(ta, priv->curr_bss_params.bss_descriptor.mac_address,
253 ETH_ALEN);
254 }
255
256 /* Reorder and send to OS */
257 ret = mwifiex_11n_rx_reorder_pkt(priv, seq_num, local_rx_pd->priority,
258 ta, (u8) rx_pkt_type, skb);
259
regards,
dan carpenter
WARNING: multiple messages have this Message-ID (diff)
From: Dan Carpenter <dan.carpenter@oracle.com>
To: akarwar@marvell.com
Cc: kernel-janitors@vger.kernel.org, linux-wireless@vger.kernel.org,
Nishant Sarmukadam <nishants@marvell.com>
Subject: [bug report] mwifiex: do le_to_cpu conversion for Rx packet header elements
Date: Wed, 02 May 2018 12:49:03 +0000 [thread overview]
Message-ID: <20180502124903.GA24880@mwanda> (raw)
Hello Amitkumar Karwar,
The patch ed1ea6f42ece: "mwifiex: do le_to_cpu conversion for Rx
packet header elements" from Aug 3, 2012, leads to the following
static checker warning:
drivers/net/wireless/marvell/mwifiex/sta_rx.c:251 mwifiex_process_sta_rx_packet()
error: buffer overflow 'priv->rx_seq' 8 <= 255 user_rl='0-255'
drivers/net/wireless/marvell/mwifiex/sta_rx.c
187 int mwifiex_process_sta_rx_packet(struct mwifiex_private *priv,
188 struct sk_buff *skb)
189 {
190 struct mwifiex_adapter *adapter = priv->adapter;
191 int ret = 0;
192 struct rxpd *local_rx_pd;
193 struct rx_packet_hdr *rx_pkt_hdr;
194 u8 ta[ETH_ALEN];
195 u16 rx_pkt_type, rx_pkt_offset, rx_pkt_length, seq_num;
196 struct mwifiex_sta_node *sta_ptr;
197
198 local_rx_pd = (struct rxpd *) (skb->data);
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Smatch distructs skb->data like the plague.
199 rx_pkt_type = le16_to_cpu(local_rx_pd->rx_pkt_type);
200 rx_pkt_offset = le16_to_cpu(local_rx_pd->rx_pkt_offset);
201 rx_pkt_length = le16_to_cpu(local_rx_pd->rx_pkt_length);
202 seq_num = le16_to_cpu(local_rx_pd->seq_num);
203
204 rx_pkt_hdr = (void *)local_rx_pd + rx_pkt_offset;
205
206 if ((rx_pkt_offset + rx_pkt_length) > (u16) skb->len) {
207 mwifiex_dbg(adapter, ERROR,
208 "wrong rx packet: len=%d, rx_pkt_offset=%d, rx_pkt_length=%d\n",
209 skb->len, rx_pkt_offset, rx_pkt_length);
210 priv->stats.rx_dropped++;
211 dev_kfree_skb_any(skb);
212 return ret;
213 }
214
215 if (rx_pkt_type = PKT_TYPE_MGMT) {
216 ret = mwifiex_process_mgmt_packet(priv, skb);
217 if (ret)
218 mwifiex_dbg(adapter, DATA, "Rx of mgmt packet failed");
219 dev_kfree_skb_any(skb);
220 return ret;
221 }
222
223 /*
224 * If the packet is not an unicast packet then send the packet
225 * directly to os. Don't pass thru rx reordering
226 */
227 if ((!IS_11N_ENABLED(priv) &&
228 !(ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
229 !(local_rx_pd->flags & MWIFIEX_RXPD_FLAGS_TDLS_PACKET))) ||
230 !ether_addr_equal_unaligned(priv->curr_addr, rx_pkt_hdr->eth803_hdr.h_dest)) {
231 mwifiex_process_rx_packet(priv, skb);
232 return ret;
233 }
234
235 if (mwifiex_queuing_ra_based(priv) ||
236 (ISSUPP_TDLS_ENABLED(priv->adapter->fw_cap_info) &&
237 local_rx_pd->flags & MWIFIEX_RXPD_FLAGS_TDLS_PACKET)) {
238 memcpy(ta, rx_pkt_hdr->eth803_hdr.h_source, ETH_ALEN);
239 if (local_rx_pd->flags & MWIFIEX_RXPD_FLAGS_TDLS_PACKET &&
240 local_rx_pd->priority < MAX_NUM_TID) {
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We check ->priority here.
241 sta_ptr = mwifiex_get_sta_entry(priv, ta);
242 if (sta_ptr)
243 sta_ptr->rx_seq[local_rx_pd->priority] 244 le16_to_cpu(local_rx_pd->seq_num);
245 mwifiex_auto_tdls_update_peer_signal(priv, ta,
246 local_rx_pd->snr,
247 local_rx_pd->nf);
248 }
249 } else {
250 if (rx_pkt_type != PKT_TYPE_BAR)
251 priv->rx_seq[local_rx_pd->priority] = seq_num;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
But not on this path.
252 memcpy(ta, priv->curr_bss_params.bss_descriptor.mac_address,
253 ETH_ALEN);
254 }
255
256 /* Reorder and send to OS */
257 ret = mwifiex_11n_rx_reorder_pkt(priv, seq_num, local_rx_pd->priority,
258 ta, (u8) rx_pkt_type, skb);
259
regards,
dan carpenter
next reply other threads:[~2018-05-02 12:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-02 12:49 Dan Carpenter [this message]
2018-05-02 12:49 ` [bug report] mwifiex: do le_to_cpu conversion for Rx packet header elements Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180502124903.GA24880@mwanda \
--to=dan.carpenter@oracle.com \
--cc=akarwar@marvell.com \
--cc=kernel-janitors@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=nishants@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.