2018-07-31 11:29:42

by Colin King

[permalink] [raw]
Subject: re: [PATCH] cfg80211: read wmm rules from regulatory database

Hi Haim,

I think there may be an issue with the commit:

From 230ebaa189af44d50dccb4a1846e39ca594e347b Mon Sep 17 00:00:00 2001
From: Haim Dreyfuss <[email protected]>
Date: Wed, 28 Mar 2018 13:24:09 +0300
Subject: [PATCH] cfg80211: read wmm rules from regulatory database

specifically in function: reg_copy_regd()

+ for (i = 0; i < src_regd->n_reg_rules; i++) {
memcpy(&regd->reg_rules[i], &src_regd->reg_rules[i],
sizeof(struct ieee80211_reg_rule));
+ if (!src_regd->reg_rules[i].wmm_rule)
+ continue;

+ regd->reg_rules[i].wmm_rule = d_wmm +
+ (src_regd->reg_rules[i].wmm_rule - s_wmm) /
+ sizeof(struct ieee80211_wmm_rule);
+ }

The pointer arithmetic (src_regd->reg_rules[i].wmm_rule - s_wmm) is
performed in terms of the size of struct ieee80211_wmm_rule and not in
bytes and I believe that the division by sizeof(struct
ieee80211_wmm_rule) is not required.

This issue was detected by static analysis with Coverity Scan,
CID#1467451 ("Extra sizeof expression"), 'suspicious_division'

I'm not 100% sure that is this a false positive or not, but I think it
looks incorrect to me.

Colin



2018-08-01 13:24:25

by Dreyfuss, Haim

[permalink] [raw]
Subject: RE: [PATCH] cfg80211: read wmm rules from regulatory database

> -----Original Message-----
> From: Colin Ian King [mailto:[email protected]]
> Sent: Tuesday, July 31, 2018 2:28 PM
> To: Dreyfuss, Haim <[email protected]>; David S. Miller
> <[email protected]>; Johannes Berg <[email protected]>;
> [email protected]; [email protected]
> Cc: [email protected]
> Subject: re: [PATCH] cfg80211: read wmm rules from regulatory database
>
> Hi Haim,
>
> I think there may be an issue with the commit:
>
> From 230ebaa189af44d50dccb4a1846e39ca594e347b Mon Sep 17 00:00:00
> 2001
> From: Haim Dreyfuss <[email protected]>
> Date: Wed, 28 Mar 2018 13:24:09 +0300
> Subject: [PATCH] cfg80211: read wmm rules from regulatory database
>
> specifically in function: reg_copy_regd()
>
> + for (i = 0; i < src_regd->n_reg_rules; i++) {
> memcpy(&regd->reg_rules[i], &src_regd->reg_rules[i],
> sizeof(struct ieee80211_reg_rule));
> + if (!src_regd->reg_rules[i].wmm_rule)
> + continue;
>
> + regd->reg_rules[i].wmm_rule = d_wmm +
> + (src_regd->reg_rules[i].wmm_rule - s_wmm) /
> + sizeof(struct ieee80211_wmm_rule);
> + }
>
> The pointer arithmetic (src_regd->reg_rules[i].wmm_rule - s_wmm) is
> performed in terms of the size of struct ieee80211_wmm_rule and not in
> bytes and I believe that the division by sizeof(struct
> ieee80211_wmm_rule) is not required.
>
> This issue was detected by static analysis with Coverity Scan,
> CID#1467451 ("Extra sizeof expression"), 'suspicious_division'
>
> I'm not 100% sure that is this a false positive or not, but I think it looks
> incorrect to me.

Yeah you're right, this is not false positive.
Johannes already fixed that and Luca will probably send it in the coming week.
>