From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from p-impout004.msg.pkvw.co.charter.net (p-impout004aa.msg.pkvw.co.charter.net [47.43.26.135]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id BB51B17F1 for ; Tue, 31 May 2022 01:33:09 +0000 (UTC) Received: from 2603-8090-2005-39b3-0000-0000-0000-100e.res6.spectrum.com.com ([24.31.246.181]) by cmsmtp with ESMTP id vqjLnnv0kgPEBvqjSnJB4O; Tue, 31 May 2022 01:31:39 +0000 X-Authority-Analysis: v=2.4 cv=b8OhX/Kx c=1 sm=1 tr=0 ts=62956ffb a=cAe/7qmlxnd6JlJqP68I9A==:117 a=cAe/7qmlxnd6JlJqP68I9A==:17 a=IkcTkHD0fZMA:10 a=yQdBAQUQAAAA:8 a=JKArFDfnAAAA:8 a=yPCof4ZbAAAA:8 a=trFUbqFmGWvzTRzaABQA:9 a=QEXdDO2ut3YA:10 a=SzazLyfi1tnkUD6oumHU:22 a=8HTcXXoeXT8DLsUt73VG:22 From: Larry Finger To: gregkh@linuxfoundation.org Cc: phil@philpotter.co.uk, linux-staging@lists.linux.dev, linux-kernel@vger.kernel.org, Larry Finger , Dan Carpenter Subject: [PATCH v3 2/2] staging: r8188eu: Fix warning of array overflow in ioctl_linux.c Date: Mon, 30 May 2022 20:31:03 -0500 Message-Id: <20220531013103.2175-3-Larry.Finger@lwfinger.net> X-Mailer: git-send-email 2.36.1 In-Reply-To: <20220531013103.2175-1-Larry.Finger@lwfinger.net> References: <20220531013103.2175-1-Larry.Finger@lwfinger.net> Precedence: bulk X-Mailing-List: linux-staging@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-CMAE-Envelope: MS4xfHjbCQQ0ilhvUMTInvLkcBR7pz0MsdzmJXh1BoA+6zbxacd/1ou6F06evJku56zwHtSobOO6nNxCwFmZ+TLIYJJ6DGx0YVFo+Aeyt2zBJkP2ZrqxOHH8 RCGO7L2GpTm9gJSZ90lPPUkCKGAWr5FDGRAzC3pgfd+C5Ll4RaKXFouIbfaMCXLFg4Oh7/d/7XI3SiHJsj6j4BBAXk1vdrRM4zkn6pOcbSiYAwOaH8nx/H8W bHzFJlbsmK/cdzRmPWA6qdyrKKc2MrY/bxjRWCalgtJlvcwf+CCJcMS++B9RB4Fwxx1f4FsOpkeR8/ESCtj9JS9LicD5OoJcqN441srWnSj5OdYkHH17BXcJ M4jNLHD7cOIwnDmBRC6J87twXoILuPmfiBh7SxcEghBFluVQnzl7XNm5xTAoI4YUc7kwWFTM+l6iVi/tVQf9Vt/KYIU3P7eGYYz4SN3/uRfctRoinnA= Building with -Warray-bounds results in the following warning plus others related to the same problem: CC [M] drivers/staging/r8188eu/os_dep/ioctl_linux.o In function ‘wpa_set_encryption’, inlined from ‘rtw_wx_set_enc_ext’ at drivers/staging/r8188eu/os_dep/ioctl_linux.c:1868:9: drivers/staging/r8188eu/os_dep/ioctl_linux.c:412:41: warning: array subscript ‘struct ndis_802_11_wep[0]’ is partly outside array bounds of ‘void[25]’ [-Warray-bounds] 412 | pwep->KeyLength = wep_key_len; | ~~~~~~~~~~~~~~~~^~~~~~~~~~~~~ In file included from drivers/staging/r8188eu/os_dep/../include/osdep_service.h:19, from drivers/staging/r8188eu/os_dep/ioctl_linux.c:4: In function ‘kmalloc’, inlined from ‘kzalloc’ at ./include/linux/slab.h:733:9, inlined from ‘wpa_set_encryption’ at drivers/staging/r8188eu/os_dep/ioctl_linux.c:408:11, inlined from ‘rtw_wx_set_enc_ext’ at drivers/staging/r8188eu/os_dep/ioctl_linux.c:1868:9: ./include/linux/slab.h:605:16: note: object of size [17, 25] allocated by ‘__kmalloc’ 605 | return __kmalloc(size, flags); | ^~~~~~~~~~~~~~~~~~~~~~ ./include/linux/slab.h:600:24: note: object of size [17, 25] allocated by ‘kmem_cache_alloc_trace’ 600 | return kmem_cache_alloc_trace( | ^~~~~~~~~~~~~~~~~~~~~~~ 601 | kmalloc_caches[kmalloc_type(flags)][index], | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 602 | flags, size); | ~~~~~~~~~~~~ Although it is unlikely that anyone is still using WEP encryption, the size of the allocation needs to be increased just in case. Fixes commit 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") Signed-off-by: Larry Finger Cc: Phillip Potter Cc: Dan Carpenter --- v2 - get proper To and Cc v3 - no changes --- drivers/staging/r8188eu/os_dep/ioctl_linux.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/staging/r8188eu/os_dep/ioctl_linux.c b/drivers/staging/r8188eu/os_dep/ioctl_linux.c index 1b09462ca908..8dd280e2739a 100644 --- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c +++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c @@ -403,7 +403,7 @@ static int wpa_set_encryption(struct net_device *dev, struct ieee_param *param, if (wep_key_len > 0) { wep_key_len = wep_key_len <= 5 ? 5 : 13; - wep_total_len = wep_key_len + FIELD_OFFSET(struct ndis_802_11_wep, KeyMaterial); + wep_total_len = wep_key_len + sizeof(*pwep); pwep = kzalloc(wep_total_len, GFP_KERNEL); if (!pwep) goto exit; -- 2.36.1