Hello Yan-Hsuan Chuang,
The patch e3037485c68e: "rtw88: new Realtek 802.11ac driver" from Apr
26, 2019, leads to the following static checker warning:
drivers/net/wireless/realtek/rtw88/efuse.c:78 rtw_dump_logical_efuse_map()
error: buffer overflow 'log_map' 768 <= 768
drivers/net/wireless/realtek/rtw88/efuse.c
38 static int rtw_dump_logical_efuse_map(struct rtw_dev *rtwdev, u8 *phy_map,
39 u8 *log_map)
40 {
41 u32 physical_size = rtwdev->efuse.physical_size;
42 u32 protect_size = rtwdev->efuse.protect_size;
43 u32 logical_size = rtwdev->efuse.logical_size;
44 u32 phy_idx, log_idx;
45 u8 hdr1, hdr2;
46 u8 blk_idx;
47 u8 word_en;
48 int i;
49
50 for (phy_idx = 0; phy_idx < physical_size - protect_size;) {
51 hdr1 = phy_map[phy_idx];
52 hdr2 = phy_map[phy_idx + 1];
53 if (invalid_efuse_header(hdr1, hdr2))
54 break;
55
56 if ((hdr1 & 0x1f) == 0xf) {
57 /* 2-byte header format */
58 blk_idx = get_efuse_blk_idx_2_byte(hdr1, hdr2);
59 word_en = hdr2 & 0xf;
60 phy_idx += 2;
61 } else {
62 /* 1-byte header format */
63 blk_idx = get_efuse_blk_idx_1_byte(hdr1);
64 word_en = hdr1 & 0xf;
65 phy_idx += 1;
66 }
67
68 for (i = 0; i < 4; i++) {
69 if (invalid_efuse_content(word_en, i))
70 continue;
71
72 log_idx = block_idx_to_logical_idx(blk_idx, i);
73 if (phy_idx + 1 > physical_size - protect_size ||
74 log_idx + 1 > logical_size)
^^^^^^^^^^^^^^^^^^^^^^^^^^
This is a false positive because we know that "log_idx + 1" is an odd
number and logical_size is even so they can't be equal... But I wonder
if it would make it more readable to change the > to >=?
The log_map[] array has logical_size elements. It's allocated in
rtw_parse_efuse_map().
75 return -EINVAL;
76
77 log_map[log_idx] = phy_map[phy_idx];
78 log_map[log_idx + 1] = phy_map[phy_idx + 1];
^^^^^^^^^^^^^^^^^^^
79 phy_idx += 2;
80 }
81 }
82 return 0;
regards,
dan carpenter
