* [PATCH v2] cfg80211: Fix array-bounds warning in fragment copy
@ 2017-04-13 17:05 Matthias Kaehlcke
0 siblings, 0 replies; 4+ messages in thread
From: Matthias Kaehlcke @ 2017-04-13 17:05 UTC (permalink / raw)
To: Johannes Berg, David S . Miller, Felix Fietkau
Cc: linux-kernel, netdev, linux-wireless, grundler, Greg Hackmann,
Michael Davidson, Matthias Kaehlcke
__ieee80211_amsdu_copy_frag intentionally initializes a pointer to
array[-1] to increment it later to valid values. clang rightfully
generates an array-bounds warning on the initialization statement.
Initialize the pointer to array[0] and change the algorithm from
increment before to increment after consume.
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
---
Note: Resent to include linux-wireless in cc
net/wireless/util.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 68e5f2ecee1a..52795ae5337f 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -659,7 +659,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
int offset, int len)
{
struct skb_shared_info *sh = skb_shinfo(skb);
- const skb_frag_t *frag = &sh->frags[-1];
+ const skb_frag_t *frag = &sh->frags[0];
struct page *frag_page;
void *frag_ptr;
int frag_len, frag_size;
@@ -672,10 +672,10 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
while (offset >= frag_size) {
offset -= frag_size;
- frag++;
frag_page = skb_frag_page(frag);
frag_ptr = skb_frag_address(frag);
frag_size = skb_frag_size(frag);
+ frag++;
}
frag_ptr += offset;
@@ -687,12 +687,12 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
len -= cur_len;
while (len > 0) {
- frag++;
frag_len = skb_frag_size(frag);
cur_len = min(len, frag_len);
__frame_add_frag(frame, skb_frag_page(frag),
skb_frag_address(frag), cur_len, frag_len);
len -= cur_len;
+ frag++;
}
}
--
2.12.2.715.g7642488e1d-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH v2] cfg80211: Fix array-bounds warning in fragment copy
@ 2017-03-27 19:58 Matthias Kaehlcke
2017-04-10 21:36 ` Matthias Kaehlcke
0 siblings, 1 reply; 4+ messages in thread
From: Matthias Kaehlcke @ 2017-03-27 19:58 UTC (permalink / raw)
To: Johannes Berg, David S . Miller, Felix Fietkau
Cc: netdev, linux-kernel, Grant Grundler, Matthias Kaehlcke
__ieee80211_amsdu_copy_frag intentionally initializes a pointer to
array[-1] to increment it later to valid values. clang rightfully
generates an array-bounds warning on the initialization statement.
Initialize the pointer to array[0] and change the algorithm from
increment before to increment after consume.
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
---
net/wireless/util.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/wireless/util.c b/net/wireless/util.c
index 68e5f2ecee1a..52795ae5337f 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -659,7 +659,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
int offset, int len)
{
struct skb_shared_info *sh = skb_shinfo(skb);
- const skb_frag_t *frag = &sh->frags[-1];
+ const skb_frag_t *frag = &sh->frags[0];
struct page *frag_page;
void *frag_ptr;
int frag_len, frag_size;
@@ -672,10 +672,10 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
while (offset >= frag_size) {
offset -= frag_size;
- frag++;
frag_page = skb_frag_page(frag);
frag_ptr = skb_frag_address(frag);
frag_size = skb_frag_size(frag);
+ frag++;
}
frag_ptr += offset;
@@ -687,12 +687,12 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
len -= cur_len;
while (len > 0) {
- frag++;
frag_len = skb_frag_size(frag);
cur_len = min(len, frag_len);
__frame_add_frag(frame, skb_frag_page(frag),
skb_frag_address(frag), cur_len, frag_len);
len -= cur_len;
+ frag++;
}
}
--
2.12.1.578.ge9c3154ca4-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH v2] cfg80211: Fix array-bounds warning in fragment copy
2017-03-27 19:58 Matthias Kaehlcke
@ 2017-04-10 21:36 ` Matthias Kaehlcke
2017-04-11 5:16 ` Johannes Berg
0 siblings, 1 reply; 4+ messages in thread
From: Matthias Kaehlcke @ 2017-04-10 21:36 UTC (permalink / raw)
To: Johannes Berg, David S . Miller, Felix Fietkau
Cc: netdev, linux-kernel, Grant Grundler
El Mon, Mar 27, 2017 at 12:58:22PM -0700 Matthias Kaehlcke ha dit:
> __ieee80211_amsdu_copy_frag intentionally initializes a pointer to
> array[-1] to increment it later to valid values. clang rightfully
> generates an array-bounds warning on the initialization statement.
>
> Initialize the pointer to array[0] and change the algorithm from
> increment before to increment after consume.
>
> Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
> ---
> net/wireless/util.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/wireless/util.c b/net/wireless/util.c
> index 68e5f2ecee1a..52795ae5337f 100644
> --- a/net/wireless/util.c
> +++ b/net/wireless/util.c
> @@ -659,7 +659,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
> int offset, int len)
> {
> struct skb_shared_info *sh = skb_shinfo(skb);
> - const skb_frag_t *frag = &sh->frags[-1];
> + const skb_frag_t *frag = &sh->frags[0];
> struct page *frag_page;
> void *frag_ptr;
> int frag_len, frag_size;
> @@ -672,10 +672,10 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
>
> while (offset >= frag_size) {
> offset -= frag_size;
> - frag++;
> frag_page = skb_frag_page(frag);
> frag_ptr = skb_frag_address(frag);
> frag_size = skb_frag_size(frag);
> + frag++;
> }
>
> frag_ptr += offset;
> @@ -687,12 +687,12 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
> len -= cur_len;
>
> while (len > 0) {
> - frag++;
> frag_len = skb_frag_size(frag);
> cur_len = min(len, frag_len);
> __frame_add_frag(frame, skb_frag_page(frag),
> skb_frag_address(frag), cur_len, frag_len);
> len -= cur_len;
> + frag++;
> }
> }
>
Ping, any feedback on this patch?
Thanks
Matthias
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-04-13 17:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-04-13 17:05 [PATCH v2] cfg80211: Fix array-bounds warning in fragment copy Matthias Kaehlcke
-- strict thread matches above, loose matches on Subject: below --
2017-03-27 19:58 Matthias Kaehlcke
2017-04-10 21:36 ` Matthias Kaehlcke
2017-04-11 5:16 ` Johannes Berg
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).