On Tue, Nov 05, 2019 at 06:11:03AM +0000, Ajay.Kathat@xxxxxxxxxxxxx wrote: > > > On 04-Nov-19 11:08 PM, coverity-bot wrote: > > External E-Mail > > > > > > Hello! > > > > This is an experimental automated report about issues detected by Coverity > > from a scan of next-20191031 as part of the linux-next weekly scan project: > > https://scan.coverity.com/projects/linux-next-weekly-scan > > > > You're getting this email because you were associated with the identified > > lines of code (noted below) that were touched by recent commits: > > > > 4e0b0f42c9c7 ("staging: wilc1000: use struct to pack join parameters for FW") > > > > Coverity reported the following: > > > > *** CID 1487400: Memory - illegal accesses (OVERRUN) > > /drivers/staging/wilc1000/wilc_hif.c: 496 in wilc_parse_join_bss_param() > > 490 if (supp_rates_ie) { > > 491 if (supp_rates_ie[1] > (WILC_MAX_RATES_SUPPORTED - rates_len)) > > 492 param->supp_rates[0] = WILC_MAX_RATES_SUPPORTED; > > 493 else > > 494 param->supp_rates[0] += supp_rates_ie[1]; > > 495 > > vvv CID 1487400: Memory - illegal accesses (OVERRUN) > > vvv Overrunning array of 13 bytes at byte offset 13 by dereferencing pointer "¶m->supp_rates[rates_len + 1]". [Note: The source code implementation of the function has been overridden by a builtin model.] > > 496 memcpy(¶m->supp_rates[rates_len + 1], supp_rates_ie + 2, > > 497 (param->supp_rates[0] - rates_len)); > > As I understand, Ideally this condition should never arise because the > maximum number of supported *basic rates* is up to 8 so the value of > ‘rate_len’ will always be less then WILC_MAX_RATES_SUPPPRTED (i.e 12). > Therefore '¶m->supp_rates[rates_len+ 1]' will never try to access > the 13 bytes in the array. > But for the safer side, if need I can create a patch to block the > addition of extended supported rates in ‘param->supp_rates’ array if > ‘rates_len’ is 12 (i.e 'param->supp_rates' array is full after filing > the basic supported rates). I don't know the code myself, but generally speaking, it's best to validate any assumptions like this. I'd say add a patch for it, since it sounds pretty straight-forward to test. -Kees > > > 498 } > > 499 > > 500 ht_ie = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies->data, ies->len); > > 501 if (ht_ie) > > > > If this is a false positive, please let us know so we can mark it as > > such, or teach the Coverity rules to be smarter. If not, please make > > sure fixes get into linux-next. :) For patches fixing this, please > > include these lines (but double-check the "Fixes" first): > > > > Reported-by: coverity-bot <keescook+coverity-bot@xxxxxxxxxxxx> > > Addresses-Coverity-ID: 1487400 ("Memory - illegal accesses") > > Fixes: 4e0b0f42c9c7 ("staging: wilc1000: use struct to pack join parameters for FW") > > > > > > Thanks for your attention! > > -- Kees Cook
