Hi Arik,
Smatch complains about c47e8229fa56 "wl12xx: support up to 8 stations
in AP-mode"
drivers/net/wireless/wl12xx/main.c +832 wl12xx_irq_update_links_status(22)
error: buffer overflow 'status->tx_lnk_free_pkts' 8 <= 10
828 for (hlid = WL1271_AP_STA_HLID_START; hlid < AP_MAX_LINKS; hlid++) {
^^^^^^^^^^^^
We increased this to 11.
829 if (!wl1271_is_active_sta(wl, hlid))
830 continue;
831
832 cnt = status->tx_lnk_free_pkts[hlid] -
^^^^^^^^^^^^^^^^^^^^^^
But the ->tx_lnk_free_pkts[] array still only has 8 elements so we're
reading past the end of the array.
833 wl->links[hlid].prev_freed_pkts;
834
835 wl->links[hlid].prev_freed_pkts =
836 status->tx_lnk_free_pkts[hlid];
837 wl->links[hlid].allocated_pkts -= cnt;
838
839 wl12xx_irq_ps_regulate_link(wl, hlid,
840 wl->links[hlid].allocated_pkts);
841 }
regards,
dan carpenter
On Wed, Sep 21, 2011 at 10:25, Luciano Coelho <[email protected]> wrote:
> On Wed, 2011-09-21 at 00:05 -0700, Dan Carpenter wrote:
>> Hi Arik,
>>
>> Smatch complains about c47e8229fa56 "wl12xx: support up to 8 stations
>> in AP-mode"
>>
>> drivers/net/wireless/wl12xx/main.c +832 wl12xx_irq_update_links_status(22)
>> ? ? ? error: buffer overflow 'status->tx_lnk_free_pkts' 8 <= 10
>>
>> ? ?828 ? ? ? ? ?for (hlid = WL1271_AP_STA_HLID_START; hlid < AP_MAX_LINKS; hlid++) {
>> ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?^^^^^^^^^^^^
Again, good catch there Dan. We'll verify the fix internally before
releasing it (as it changes the host-fw interface).
I'll also add a BUILD_BUG_ON so this won't happen again.
Arik
On Wed, 2011-09-21 at 00:05 -0700, Dan Carpenter wrote:
> Hi Arik,
>
> Smatch complains about c47e8229fa56 "wl12xx: support up to 8 stations
> in AP-mode"
>
> drivers/net/wireless/wl12xx/main.c +832 wl12xx_irq_update_links_status(22)
> error: buffer overflow 'status->tx_lnk_free_pkts' 8 <= 10
>
> 828 for (hlid = WL1271_AP_STA_HLID_START; hlid < AP_MAX_LINKS; hlid++) {
> ^^^^^^^^^^^^
> We increased this to 11.
>
> 829 if (!wl1271_is_active_sta(wl, hlid))
> 830 continue;
> 831
> 832 cnt = status->tx_lnk_free_pkts[hlid] -
> ^^^^^^^^^^^^^^^^^^^^^^
>
> But the ->tx_lnk_free_pkts[] array still only has 8 elements so we're
> reading past the end of the array.
>
> 833 wl->links[hlid].prev_freed_pkts;
> 834
> 835 wl->links[hlid].prev_freed_pkts =
> 836 status->tx_lnk_free_pkts[hlid];
> 837 wl->links[hlid].allocated_pkts -= cnt;
> 838
> 839 wl12xx_irq_ps_regulate_link(wl, hlid,
> 840 wl->links[hlid].allocated_pkts);
> 841 }
Good catch, Dan! Thanks for checking this.
I checked our new firmware API and it seems that the wl12xx_fw_status
structure has changed. Now, WL12XX_MAX_LINKS, should be 12 instead of
8.
Arik, can you verify this and send a fix patch?
--
Cheers,
Luca.