Return-path: Received: from mail-wy0-f174.google.com ([74.125.82.174]:45598 "EHLO mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754176Ab0LTIay (ORCPT ); Mon, 20 Dec 2010 03:30:54 -0500 Received: by wyb28 with SMTP id 28so2603483wyb.19 for ; Mon, 20 Dec 2010 00:30:53 -0800 (PST) Date: Mon, 20 Dec 2010 11:30:41 +0300 From: Dan Carpenter To: Vasanthakumar Thiagarajan Cc: linux-wireless@vger.kernel.org, ath9k-devel@lists.ath9k.org Subject: smatch stuff: potential read past the end of the buffer Message-ID: <20101220083041.GQ1936@bicker> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: linux-wireless-owner@vger.kernel.org List-ID: Hello Vasanthakumar, Smatch complains that in linux-next 60e0c3a7 "ath9k_hw: Eeeprom changes for AR9485" means there is a potential read past the end of the buffer int ar9300_eeprom_restore_internal(). drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +3381 ar9300_eeprom_restore_internal(81) error: buffer overflow 'word' 2048 <= 4099 "word" is allocated with 2048 bytes: word = kzalloc(2048, GFP_KERNEL); "length" can be up to 4099: if ((!AR_SREV_9485(ah) && length >= 1024) || (AR_SREV_9485(ah) && length >= (4 * 1024))) { ^^^^^^^^^^^^^^^^^^^^^ so "osize" can be up to 4099 as well: osize = length; We're reading way past the end of the word array here: mchecksum = word[COMP_HDR_LEN + osize] | ^^^^^^^^^^^^^^^^^^^^^^^^^^ (word[COMP_HDR_LEN + osize + 1] << 8); I don't know how to fix this. Can you take a look? regards, dan carpenter