Search Linux Wireless

Re: [PATCH] libertas: Fix two buffer overflows at parsing bss descriptor

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on wireless-drivers-next/master]
[also build test WARNING on v5.4-rc8 next-20191122]
[if your patch is applied to the wrong git tree, please drop us a note to help
improve the system. BTW, we also suggest to use '--base' option to specify the
base tree in git format-patch, please see https://stackoverflow.com/a/37406982]

url:    https://github.com/0day-ci/linux/commits/huangwenabc-gmail-com/libertas-Fix-two-buffer-overflows-at-parsing-bss-descriptor/20191124-142236
base:   https://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers-next.git master
config: sh-allmodconfig (attached as .config)
compiler: sh4-linux-gcc (GCC) 7.4.0
reproduce:
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # save the attached .config to linux build tree
        GCC_VERSION=7.4.0 make.cross ARCH=sh 

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@xxxxxxxxx>

All warnings (new ones prefixed by >>):

   drivers/net/wireless/marvell/libertas/cfg.c: In function 'lbs_ibss_join_existing':
>> drivers/net/wireless/marvell/libertas/cfg.c:1788:3: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
      u8 *rates = cmd.bss.rates;
      ^~

vim +1788 drivers/net/wireless/marvell/libertas/cfg.c

e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1715  
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1716  static int lbs_ibss_join_existing(struct lbs_private *priv,
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1717  	struct cfg80211_ibss_params *params,
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1718  	struct cfg80211_bss *bss)
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1719  {
9caf03640279e6 drivers/net/wireless/libertas/cfg.c         Johannes Berg 2012-11-29  1720  	const u8 *rates_eid;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1721  	struct cmd_ds_802_11_ad_hoc_join cmd;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1722  	u8 preamble = RADIO_PREAMBLE_SHORT;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1723  	int ret = 0;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1724  
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1725  	/* TODO: set preamble based on scan result */
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1726  	ret = lbs_set_radio(priv, preamble, 1);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1727  	if (ret)
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1728  		goto out;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1729  
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1730  	/*
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1731  	 * Example CMD_802_11_AD_HOC_JOIN command:
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1732  	 *
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1733  	 * command         2c 00         CMD_802_11_AD_HOC_JOIN
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1734  	 * size            65 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1735  	 * sequence        xx xx
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1736  	 * result          00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1737  	 * bssid           02 27 27 97 2f 96
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1738  	 * ssid            49 42 53 53 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1739  	 *                 00 00 00 00 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1740  	 *                 00 00 00 00 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1741  	 *                 00 00 00 00 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1742  	 * type            02            CMD_BSS_TYPE_IBSS
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1743  	 * beacon period   64 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1744  	 * dtim period     00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1745  	 * timestamp       00 00 00 00 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1746  	 * localtime       00 00 00 00 00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1747  	 * IE DS           03
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1748  	 * IE DS len       01
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1749  	 * IE DS channel   01
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1750  	 * reserveed       00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1751  	 * IE IBSS         06
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1752  	 * IE IBSS len     02
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1753  	 * IE IBSS atim    00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1754  	 * reserved        00 00 00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1755  	 * capability      02 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1756  	 * rates           82 84 8b 96 0c 12 18 24 30 48 60 6c 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1757  	 * fail timeout    ff 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1758  	 * probe delay     00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1759  	 */
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1760  	memset(&cmd, 0, sizeof(cmd));
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1761  	cmd.hdr.size = cpu_to_le16(sizeof(cmd));
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1762  
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1763  	memcpy(cmd.bss.bssid, bss->bssid, ETH_ALEN);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1764  	memcpy(cmd.bss.ssid, params->ssid, params->ssid_len);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1765  	cmd.bss.type = CMD_BSS_TYPE_IBSS;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1766  	cmd.bss.beaconperiod = cpu_to_le16(params->beacon_interval);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1767  	cmd.bss.ds.header.id = WLAN_EID_DS_PARAMS;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1768  	cmd.bss.ds.header.len = 1;
683b6d3b31a519 drivers/net/wireless/libertas/cfg.c         Johannes Berg 2012-11-08  1769  	cmd.bss.ds.channel = params->chandef.chan->hw_value;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1770  	cmd.bss.ibss.header.id = WLAN_EID_IBSS_PARAMS;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1771  	cmd.bss.ibss.header.len = 2;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1772  	cmd.bss.ibss.atimwindow = 0;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1773  	cmd.bss.capability = cpu_to_le16(bss->capability & CAPINFO_MASK);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1774  
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1775  	/* set rates to the intersection of our rates and the rates in the
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1776  	   bss */
9caf03640279e6 drivers/net/wireless/libertas/cfg.c         Johannes Berg 2012-11-29  1777  	rcu_read_lock();
9caf03640279e6 drivers/net/wireless/libertas/cfg.c         Johannes Berg 2012-11-29  1778  	rates_eid = ieee80211_bss_get_ie(bss, WLAN_EID_SUPP_RATES);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1779  	if (!rates_eid) {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1780  		lbs_add_rates(cmd.bss.rates);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1781  	} else {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1782  		int hw, i;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1783  		u8 rates_max = rates_eid[1];
bb7da3c8c1a225 drivers/net/wireless/marvell/libertas/cfg.c Wen Huang     2019-11-22  1784  		if (rates_max > MAX_RATES) {
bb7da3c8c1a225 drivers/net/wireless/marvell/libertas/cfg.c Wen Huang     2019-11-22  1785  			lbs_deb_join("invalid rates");
bb7da3c8c1a225 drivers/net/wireless/marvell/libertas/cfg.c Wen Huang     2019-11-22  1786  			goto out;
bb7da3c8c1a225 drivers/net/wireless/marvell/libertas/cfg.c Wen Huang     2019-11-22  1787  		}
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14 @1788  		u8 *rates = cmd.bss.rates;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1789  		for (hw = 0; hw < ARRAY_SIZE(lbs_rates); hw++) {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1790  			u8 hw_rate = lbs_rates[hw].bitrate / 5;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1791  			for (i = 0; i < rates_max; i++) {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1792  				if (hw_rate == (rates_eid[i+2] & 0x7f)) {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1793  					u8 rate = rates_eid[i+2];
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1794  					if (rate == 0x02 || rate == 0x04 ||
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1795  					    rate == 0x0b || rate == 0x16)
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1796  						rate |= 0x80;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1797  					*rates++ = rate;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1798  				}
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1799  			}
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1800  		}
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1801  	}
9caf03640279e6 drivers/net/wireless/libertas/cfg.c         Johannes Berg 2012-11-29  1802  	rcu_read_unlock();
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1803  
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1804  	/* Only v8 and below support setting this */
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1805  	if (MRVL_FW_MAJOR_REV(priv->fwrelease) <= 8) {
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1806  		cmd.failtimeout = cpu_to_le16(MRVDRV_ASSOCIATION_TIME_OUT);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1807  		cmd.probedelay = cpu_to_le16(CMD_SCAN_PROBE_DELAY_TIME);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1808  	}
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1809  	ret = lbs_cmd_with_response(priv, CMD_802_11_AD_HOC_JOIN, &cmd);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1810  	if (ret)
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1811  		goto out;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1812  
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1813  	/*
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1814  	 * This is a sample response to CMD_802_11_AD_HOC_JOIN:
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1815  	 *
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1816  	 * response        2c 80
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1817  	 * size            09 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1818  	 * sequence        xx xx
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1819  	 * result          00 00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1820  	 * reserved        00
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1821  	 */
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1822  	lbs_join_post(priv, params, bss->bssid, bss->capability);
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1823  
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1824   out:
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1825  	return ret;
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1826  }
e86dc1ca467644 drivers/net/wireless/libertas/cfg.c         Kiran Divekar 2010-06-14  1827  

:::::: The code at line 1788 was first introduced by commit
:::::: e86dc1ca4676445d9f0dfe35104efe0eb8a2f566 Libertas: cfg80211 support

:::::: TO: Kiran Divekar <dkiran@xxxxxxxxxxx>
:::::: CC: John W. Linville <linville@xxxxxxxxxxxxx>

---
0-DAY kernel test infrastructure                 Open Source Technology Center
https://lists.01.org/hyperkitty/list/kbuild-all@xxxxxxxxxxxx Intel Corporation

Attachment: .config.gz
Description: application/gzip

[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux