On 04-Nov-19 11:08 PM, coverity-bot wrote: > External E-Mail > > > Hello! > > This is an experimental automated report about issues detected by Coverity > from a scan of next-20191031 as part of the linux-next weekly scan project: > https://scan.coverity.com/projects/linux-next-weekly-scan > > You're getting this email because you were associated with the identified > lines of code (noted below) that were touched by recent commits: > > 4e0b0f42c9c7 ("staging: wilc1000: use struct to pack join parameters for FW") > > Coverity reported the following: > > *** CID 1487400: Memory - illegal accesses (OVERRUN) > /drivers/staging/wilc1000/wilc_hif.c: 496 in wilc_parse_join_bss_param() > 490 if (supp_rates_ie) { > 491 if (supp_rates_ie[1] > (WILC_MAX_RATES_SUPPORTED - rates_len)) > 492 param->supp_rates[0] = WILC_MAX_RATES_SUPPORTED; > 493 else > 494 param->supp_rates[0] += supp_rates_ie[1]; > 495 > vvv CID 1487400: Memory - illegal accesses (OVERRUN) > vvv Overrunning array of 13 bytes at byte offset 13 by dereferencing pointer "¶m->supp_rates[rates_len + 1]". [Note: The source code implementation of the function has been overridden by a builtin model.] > 496 memcpy(¶m->supp_rates[rates_len + 1], supp_rates_ie + 2, > 497 (param->supp_rates[0] - rates_len)); As I understand, Ideally this condition should never arise because the maximum number of supported *basic rates* is up to 8 so the value of ‘rate_len’ will always be less then WILC_MAX_RATES_SUPPPRTED (i.e 12). Therefore '¶m->supp_rates[rates_len+ 1]' will never try to access the 13 bytes in the array. But for the safer side, if need I can create a patch to block the addition of extended supported rates in ‘param->supp_rates’ array if ‘rates_len’ is 12 (i.e 'param->supp_rates' array is full after filing the basic supported rates). > 498 } > 499 > 500 ht_ie = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies->data, ies->len); > 501 if (ht_ie) > > If this is a false positive, please let us know so we can mark it as > such, or teach the Coverity rules to be smarter. If not, please make > sure fixes get into linux-next. :) For patches fixing this, please > include these lines (but double-check the "Fixes" first): > > Reported-by: coverity-bot <keescook+coverity-bot@xxxxxxxxxxxx> > Addresses-Coverity-ID: 1487400 ("Memory - illegal accesses") > Fixes: 4e0b0f42c9c7 ("staging: wilc1000: use struct to pack join parameters for FW") > > > Thanks for your attention! >
