Hello Wolfram Sang,
The patch 13a9930d15b4: "staging: ks7010: add driver from Nanonote
extra-repository" from May 31, 2016, leads to the following Smatch
static checker warning:
drivers/staging/ks7010/ks_wlan_net.c:2108 ks_wlan_set_wps_probe_req()
error: 'len' from user is not capped properly
drivers/staging/ks7010/ks_wlan_net.c
2088 static int ks_wlan_set_wps_probe_req(struct net_device *dev,
2089 struct iw_request_info *info,
2090 union iwreq_data *uwrq, char *extra)
2091 {
2092 struct iw_point *dwrq = &uwrq->data;
2093 u8 *p = extra;
2094 unsigned char len;
^^^^^^^^^^^^^^^^^^
2095 struct ks_wlan_private *priv = netdev_priv(dev);
2096
2097 if (priv->sleep_mode == SLP_SLEEP)
2098 return -EPERM;
2099
2100 /* length check */
2101 if (p[1] + 2 != dwrq->length || dwrq->length > 256)
Should this be >= instead of >? Otherwise if it's 256
2102 return -EINVAL;
2103
2104 priv->wps.ielen = p[1] + 2 + 1; /* IE header + IE + sizeof(len) */
2105 len = p[1] + 2; /* IE header + IE */
That means that "len" gets truncated to zero.
2106
2107 memcpy(priv->wps.ie, &len, sizeof(len));
--> 2108 p = memcpy(priv->wps.ie + 1, p, len);
2109
2110 netdev_dbg(dev, "%d(%#x): %02X %02X %02X %02X ... %02X %02X %02X\n",
2111 priv->wps.ielen, priv->wps.ielen, p[0], p[1], p[2], p[3],
2112 p[priv->wps.ielen - 3], p[priv->wps.ielen - 2],
2113 p[priv->wps.ielen - 1]);
2114
2115 hostif_sme_enqueue(priv, SME_WPS_PROBE_REQUEST);
2116
2117 return 0;
2118 }
regards,
dan carpenter
