[PATCH 1/2] ath6kl: add an extra band check to ath6kl_wmi_beginscan_cmd()

[PATCH 1/2] ath6kl: add an extra band check to ath6kl_wmi_beginscan_cmd()

[Kalle Valo]

Dan reported that smatch found a possible issue in ath6kl_wmi_beginscan_cmd()
where we might access sc->supp_rates beyond the end. It shouldn't happen as
ar->wiphy->bands always have just the first two bands set, but add an extra
check just to be sure.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
---
 drivers/net/wireless/ath/ath6kl/wmi.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c
index 31a3081..87aefb4 100644
--- a/drivers/net/wireless/ath/ath6kl/wmi.c
+++ b/drivers/net/wireless/ath/ath6kl/wmi.c
@@ -2029,6 +2029,9 @@ int ath6kl_wmi_beginscan_cmd(struct wmi *wmi, u8 if_idx,
 		if (!sband)
 			continue;
 
+		if (WARN_ON(band >= ATH6KL_NUM_BANDS))
+			break;
+
 		ratemask = rates[band];
 		supp_rates = sc->supp_rates[band].rates;
 		num_rates = 0;

[PATCH 2/2] ath6kl: remove false check from ath6kl_rx()

[Kalle Valo]

Dan found a check from ath6kl_rx() which doesn't make any sense at all:

"  1327          if (status || !(skb->data + HTC_HDR_LENGTH)) {
                                ^^^^^^^^^^^^^^^^^^^^^^^^^^
skb->data is a pointer.  This pointer math is always going to be false.
Should it be testing "packet->act_len < HTC_HDR_LENGTH" or something?"

I don't know what the check really was supposed to do, but I think Dan's guess
is right. Fix it accordingly.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
---
 drivers/net/wireless/ath/ath6kl/txrx.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ath6kl/txrx.c b/drivers/net/wireless/ath/ath6kl/txrx.c
index 43dbdaa..ebb2404 100644
--- a/drivers/net/wireless/ath/ath6kl/txrx.c
+++ b/drivers/net/wireless/ath/ath6kl/txrx.c
@@ -1327,7 +1327,7 @@ void ath6kl_rx(struct htc_target *target, struct htc_packet *packet)
 		   __func__, ar, ept, skb, packet->buf,
 		   packet->act_len, status);
 
-	if (status || !(skb->data + HTC_HDR_LENGTH)) {
+	if (status || packet->act_len < HTC_HDR_LENGTH) {
 		dev_kfree_skb(skb);
 		return;
 	}

Re: [PATCH 1/2] ath6kl: add an extra band check to ath6kl_wmi_beginscan_cmd()

[Kalle Valo]

Kalle Valo <kvalo@qca.qualcomm.com> writes:

> Dan reported that smatch found a possible issue in ath6kl_wmi_beginscan_cmd()
> where we might access sc->supp_rates beyond the end. It shouldn't happen as
> ar->wiphy->bands always have just the first two bands set, but add an extra
> check just to be sure.
>
> Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

Both patches applied. Thank Dan.

-- 
Kalle Valo