Return-path: Received: from he.sipsolutions.net ([78.46.109.217]:51672 "EHLO sipsolutions.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752217Ab1IMHSm (ORCPT ); Tue, 13 Sep 2011 03:18:42 -0400 Subject: Re: [PATCH 3.1] iwlagn: fix stack corruption From: Johannes Berg To: Daniel Halperin Cc: julia@diku.dk, John Linville , Wey-Yi W Guy , Meenakshi Venkataraman , Alexander Diewald , linux-wireless In-Reply-To: (sfid-20110912_211617_837991_28F0A685) References: <1315854505.11834.3.camel@jlt3.sipsolutions.net> (sfid-20110912_211617_837991_28F0A685) Content-Type: text/plain; charset="UTF-8" Date: Tue, 13 Sep 2011 09:18:01 +0200 Message-ID: <1315898281.4554.0.camel@jlt3.sipsolutions.net> (sfid-20110913_091845_167623_9907D8A5) Mime-Version: 1.0 Sender: linux-wireless-owner@vger.kernel.org List-ID: On Mon, 2011-09-12 at 12:14 -0700, Daniel Halperin wrote: > On Mon, Sep 12, 2011 at 12:08 PM, Johannes Berg > wrote: > > > > --- a/drivers/net/wireless/iwlwifi/iwl-agn-ucode.c 2011-09-12 21:01:34.000000000 +0200 > > +++ b/drivers/net/wireless/iwlwifi/iwl-agn-ucode.c 2011-09-12 21:01:43.000000000 +0200 > > @@ -167,7 +167,7 @@ static int iwlagn_set_temperature_offset > > > > memset(&cmd, 0, sizeof(cmd)); > > iwl_set_calib_hdr(&cmd.hdr, IWL_PHY_CALIBRATE_TEMP_OFFSET_CMD); > > - memcpy(&cmd.radio_sensor_offset, offset_calib, sizeof(offset_calib)); > > + memcpy(&cmd.radio_sensor_offset, offset_calib, sizeof(*offset_calib)); > > if (!(cmd.radio_sensor_offset)) > > cmd.radio_sensor_offset = DEFAULT_RADIO_SENSOR_OFFSET; > > Nice catch! > > This kinda bug seems ideal for Julia Lawall's stuff to catch, doesn't it? > > Right: memcpy(addr, obj, sizeof(*obj)) > Wrong: memcpy(addr, obj, sizeof(obj)) That thought occurred to me as well, but I had been debugging until late at night so didn't even try to write a script to flag this. :) johannes