Hello Kalle Valo,
The patch bdcd81707973: "Add ath6kl cleaned up driver" from Jul 18,
2011, leads to the following static checker warning:
drivers/net/wireless/ath/ath6kl/wmi.c:1189 ath6kl_wmi_pstream_timeout_event_rx()
error: buffer overflow 'wmi->stream_exist_for_ac' 4 <= 255 user_rl='0-255'
drivers/net/wireless/ath/ath6kl/wmi.c
1171 /* Inactivity timeout of a fatpipe(pstream) at the target */
1172 static int ath6kl_wmi_pstream_timeout_event_rx(struct wmi *wmi, u8 *datap,
1173 int len)
1174 {
1175 struct wmi_pstream_timeout_event *ev;
1176
1177 if (len < sizeof(struct wmi_pstream_timeout_event))
1178 return -EINVAL;
1179
1180 ev = (struct wmi_pstream_timeout_event *) datap;
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Smatch distrusts "datap" because it comes from skb->data on the recieve
path.
1181
1182 /*
1183 * When the pstream (fat pipe == AC) timesout, it means there were
1184 * no thinStreams within this pstream & it got implicitly created
1185 * due to data flow on this AC. We start the inactivity timer only
1186 * for implicitly created pstream. Just reset the host state.
1187 */
1188 spin_lock_bh(&wmi->lock);
1189 wmi->stream_exist_for_ac[ev->traffic_class] = 0;
^^^^^^^^^^^^^^^^^
How do we know it's less than 4?
1190 wmi->fat_pipe_exist &= ~(1 << ev->traffic_class);
1191 spin_unlock_bh(&wmi->lock);
1192
1193 /* Indicate inactivity to driver layer for this fatpipe (pstream) */
1194 ath6kl_indicate_tx_activity(wmi->parent_dev, ev->traffic_class, false);
1195
1196 return 0;
1197 }
regards,
dan carpenter
