On Tue, Apr 14, 2020 at 09:01:18AM -0700, Joe Perches wrote: > On Tue, 2020-04-14 at 15:33 +0300, Dan Carpenter wrote: > > On Mon, Apr 13, 2020 at 03:01:28AM +0000, Camylla Goncalves Cantanheide wrote: > > > + > > > + for (i = 2; i < CAM_CONTENT_COUNT; i++) { > > > + write_nic_dword(dev, WCAMI, *keycontent++); > > > > This code was wrong in the original as well, but now that I see the bug > > let's fix it. CAM_CONTENT_COUNT is 8. 8 - 2 = 6. We are writing 6 > > u32 variables to write_nic_dword(). But the *keycontent buffer only has > > 4 u32 variables so it is a buffer overflow. > > Did you find the overflow with smatch? No. Smatch isn't smart enough to understand that *(keycontent + i - 2) is an array overflow. It thinks *(keycontent + i) is an array overflow but the "- 2" confuses it. Also Smatch isn't smart enough to parse the *keycontent++. It takes a shortcut when it parses loops. To be honest, I just didn't like starting the loop from 2 and was trying to see if there was a better define to use. I agree that your solution of making the buffer larger is probably the safest approach given that none of us really know the hardware. regards, dan carpenter _______________________________________________ devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxx http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel