2022-05-31 21:51:08

by Dan Carpenter

[permalink] [raw]
Subject: Re: [PATCH v2 1/2] staging: r8188eu: Fix warning of array overflow in ioctl_linux.c

On Sat, May 28, 2022 at 07:47:10PM -0500, Larry Finger wrote:
> Building with -Warray-bounds results in the following warning plus others
> related to the same problem:
>
> CC [M] drivers/staging/r8188eu/os_dep/ioctl_linux.o
> In function ‘wpa_set_encryption’,
> inlined from ‘rtw_wx_set_enc_ext’ at drivers/staging/r8188eu/os_dep/ioctl_linux.c:1868:9:
> drivers/staging/r8188eu/os_dep/ioctl_linux.c:412:41: warning: array subscript ‘struct ndis_802_11_wep[0]’ is partly outside array bounds of ‘void[25]’ [-Warray-bounds]
> 412 | pwep->KeyLength = wep_key_len;

I'm not totally sure I understand where the void[25] comes from...

This is a false positive, though? Another fix would be to just declare
the struct as a variable size array? I don't know where the 16 comes
from either. :P I have not followed this logic to other functions. If
the 16 is important then the bug is real.

Your patch is harmless and less risky than changing the struct
definition so I'm fine with that. But I'm just trying to understand the
situation better.

regards,
dan carpenter

diff --git a/drivers/staging/r8188eu/include/wlan_bssdef.h b/drivers/staging/r8188eu/include/wlan_bssdef.h
index 9d1c9e763287..0d4fb1d0b22b 100644
--- a/drivers/staging/r8188eu/include/wlan_bssdef.h
+++ b/drivers/staging/r8188eu/include/wlan_bssdef.h
@@ -158,7 +158,7 @@ struct ndis_802_11_wep {
u32 KeyIndex; /* 0 is the per-client key,
* 1-N are the global keys */
u32 KeyLength; /* length of key in bytes */
- u8 KeyMaterial[16];/* variable len depending on above field */
+ u8 KeyMaterial[];/* variable len depending on above field */
};

struct ndis_802_11_auth_req {