LinuxLists.cc - [drivers/net/wireless/marvell] Question about a possible underflow in mwifiex_11h_handle_chanrpt

2024-03-14 22:21:21

Subject: [drivers/net/wireless/marvell] Question about a possible underflow in mwifiex_11h_handle_chanrpt_ready()

Dear MARVELL Developers,

We are curious whether the function `mwifiex_11h_handle_chanrpt_ready()` might have an underflow.

The function is https://elixir.bootlin.com/linux/v6.8/source/drivers/net/wireless/marvell/mwifiex/11h.c#L193
and the relevant code is
```
int mwifiex_11h_handle_chanrpt_ready(struct mwifiex_private *priv,
struct sk_buff *skb)
{
struct host_cmd_ds_chan_rpt_event *rpt_event;
struct mwifiex_ie_types_chan_rpt_data *rpt;
u16 event_len, tlv_len;

rpt_event = (void *)(skb->data + sizeof(u32));
event_len = skb->len - (sizeof(struct host_cmd_ds_chan_rpt_event)+
sizeof(u32));
...
while (event_len >= sizeof(struct mwifiex_ie_types_header)) {
rpt = (void *)&rpt_event->tlvbuf;
tlv_len = le16_to_cpu(rpt->header.len);

switch (le16_to_cpu(rpt->header.type)) {
case TLV_TYPE_CHANRPT_11H_BASIC:
if (rpt->map.radar) {
mwifiex_dbg(priv->adapter, MSG,
"RADAR Detected on channel %d!\n",
priv->dfs_chandef.chan->hw_value);
cancel_delayed_work_sync(&priv->dfs_cac_work);
cfg80211_cac_event(priv->netdev,
&priv->dfs_chandef,
NL80211_RADAR_DETECTED,
GFP_KERNEL);
}
break;
default:
break;
}

event_len -= (tlv_len + sizeof(rpt->header));
}

return 0;
}
```

Here if the `tlv_len + sizeof(rpt->header)` is greater than `event_len`, then `event_len` will underflow since they are both unsigned integers.
We are curious whether `event_len` is guaranteed to be greater than or equal to `tlv_len + sizeof(rpt->header)` in each iteration since we found that `sizeof(struct mwifiex_ie_types_header) == sizeof(rpt->header)`.

Please kindly correct us if we missed any key information. Looking forward to your response!

Best,
Chenyuan

2024-03-15 23:59:01

by Brian Norris

[permalink] [raw]

Subject: Re: [drivers/net/wireless/marvell] Question about a possible underflow in mwifiex_11h_handle_chanrpt_ready()

On Thu, Mar 14, 2024 at 05:21:12PM -0500, Chenyuan Yang wrote:
> We are curious whether `event_len` is guaranteed to be greater than or
> equal to `tlv_len + sizeof(rpt->header)` in each iteration since we
> found that `sizeof(struct mwifiex_ie_types_header) ==
> sizeof(rpt->header)`.

You have the code available to look at just as well as we do. I don't
see any such guarantee on first glance.

Patches welcome as always.
https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches

Brian