On 05-Nov-19 10:42 PM, Kees Cook wrote: > External E-Mail > > > On Tue, Nov 05, 2019 at 06:11:03AM +0000, Ajay.Kathat@xxxxxxxxxxxxx wrote: >> >> >> On 04-Nov-19 11:08 PM, coverity-bot wrote: >>> External E-Mail >>> >>> >>> Hello! >>> >>> This is an experimental automated report about issues detected by Coverity >>> from a scan of next-20191031 as part of the linux-next weekly scan project: >>> https://scan.coverity.com/projects/linux-next-weekly-scan >>> >>> You're getting this email because you were associated with the identified >>> lines of code (noted below) that were touched by recent commits: >>> >>> 4e0b0f42c9c7 ("staging: wilc1000: use struct to pack join parameters for FW") >>> >>> Coverity reported the following: >>> >>> *** CID 1487400: Memory - illegal accesses (OVERRUN) >>> /drivers/staging/wilc1000/wilc_hif.c: 496 in wilc_parse_join_bss_param() >>> 490 if (supp_rates_ie) { >>> 491 if (supp_rates_ie[1] > (WILC_MAX_RATES_SUPPORTED - rates_len)) >>> 492 param->supp_rates[0] = WILC_MAX_RATES_SUPPORTED; >>> 493 else >>> 494 param->supp_rates[0] += supp_rates_ie[1]; >>> 495 >>> vvv CID 1487400: Memory - illegal accesses (OVERRUN) >>> vvv Overrunning array of 13 bytes at byte offset 13 by dereferencing pointer "¶m->supp_rates[rates_len + 1]". [Note: The source code implementation of the function has been overridden by a builtin model.] >>> 496 memcpy(¶m->supp_rates[rates_len + 1], supp_rates_ie + 2, >>> 497 (param->supp_rates[0] - rates_len)); >> >> As I understand, Ideally this condition should never arise because the >> maximum number of supported *basic rates* is up to 8 so the value of >> ‘rate_len’ will always be less then WILC_MAX_RATES_SUPPPRTED (i.e 12). >> Therefore '¶m->supp_rates[rates_len+ 1]' will never try to access >> the 13 bytes in the array. >> But for the safer side, if need I can create a patch to block the >> addition of extended supported rates in ‘param->supp_rates’ array if >> ‘rates_len’ is 12 (i.e 'param->supp_rates' array is full after filing >> the basic supported rates). > > I don't know the code myself, but generally speaking, it's best to > validate any assumptions like this. I'd say add a patch for it, since it > sounds pretty straight-forward to test. Sure, I will add a patch for this. Regards, Ajay
