On Tue, Apr 14, 2020 at 09:01:18AM -0700, Joe Perches wrote:
> On Tue, 2020-04-14 at 15:33 +0300, Dan Carpenter wrote:
> > On Mon, Apr 13, 2020 at 03:01:28AM +0000, Camylla Goncalves Cantanheide wrote:
> > > +
> > > + for (i = 2; i < CAM_CONTENT_COUNT; i++) {
> > > + write_nic_dword(dev, WCAMI, *keycontent++);
> >
> > This code was wrong in the original as well, but now that I see the bug
> > let's fix it. CAM_CONTENT_COUNT is 8. 8 - 2 = 6. We are writing 6
> > u32 variables to write_nic_dword(). But the *keycontent buffer only has
> > 4 u32 variables so it is a buffer overflow.
>
> Did you find the overflow with smatch?
No. Smatch isn't smart enough to understand that *(keycontent + i - 2)
is an array overflow. It thinks *(keycontent + i) is an array overflow
but the "- 2" confuses it. Also Smatch isn't smart enough to parse the
*keycontent++. It takes a shortcut when it parses loops.
To be honest, I just didn't like starting the loop from 2 and was trying
to see if there was a better define to use.
I agree that your solution of making the buffer larger is probably the
safest approach given that none of us really know the hardware.
regards,
dan carpenter
_______________________________________________
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxx
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
