Search Linux Wireless

Re: [bug report] mt76: mt7915: introduce 802.11ax multi-bss support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

> Hello Lorenzo Bianconi,
> 
> The patch 6b7f9aff7c67: "mt76: mt7915: introduce 802.11ax multi-bss
> support" from Mar 15, 2022, leads to the following Smatch static
> checker warning:
> 
> 	drivers/net/wireless/mediatek/mt76/mt7915/mcu.c:1872 mt7915_mcu_beacon_mbss()
> 	error: undefined (user controlled) shift '(((1))) << (data[2])'

I do not think it is a real issue since bssid_index is supposed to be limited
by mbssid_max_interfaces (set to 16 for 7915), but I will add a check. Thanks.

Regards,
Lorenzo

> 
> drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
>     1828 static void
>     1829 mt7915_mcu_beacon_mbss(struct sk_buff *rskb, struct sk_buff *skb,
>     1830                        struct ieee80211_vif *vif, struct bss_info_bcn *bcn,
>     1831                        struct ieee80211_mutable_offsets *offs)
>     1832 {
>     1833         struct bss_info_bcn_mbss *mbss;
>     1834         const struct element *elem;
>     1835         struct tlv *tlv;
>     1836 
>     1837         if (!vif->bss_conf.bssid_indicator)
>     1838                 return;
>     1839 
>     1840         tlv = mt7915_mcu_add_nested_subtlv(rskb, BSS_INFO_BCN_MBSSID,
>     1841                                            sizeof(*mbss), &bcn->sub_ntlv,
>     1842                                            &bcn->len);
>     1843 
>     1844         mbss = (struct bss_info_bcn_mbss *)tlv;
>     1845         mbss->offset[0] = cpu_to_le16(offs->tim_offset);
>     1846         mbss->bitmap = cpu_to_le32(1);
>     1847 
>     1848         for_each_element_id(elem, WLAN_EID_MULTIPLE_BSSID,
>     1849                             &skb->data[offs->mbssid_off],
>     1850                             skb->len - offs->mbssid_off) {
>     1851                 const struct element *sub_elem;
>     1852 
>     1853                 if (elem->datalen < 2)
>     1854                         continue;
>     1855 
>     1856                 for_each_element(sub_elem, elem->data + 1, elem->datalen - 1) {
>     1857                         const u8 *data;
>     1858 
>     1859                         if (sub_elem->id || sub_elem->datalen < 4)
>     1860                                 continue; /* not a valid BSS profile */
>     1861 
>     1862                         /* Find WLAN_EID_MULTI_BSSID_IDX
>     1863                          * in the merged nontransmitted profile
>     1864                          */
>     1865                         data = cfg80211_find_ie(WLAN_EID_MULTI_BSSID_IDX,
>     1866                                                 sub_elem->data,
>     1867                                                 sub_elem->datalen);
>     1868                         if (!data || data[1] < 1 || !data[2])
> 
> This probably needs a "|| data[2] > 31" but maybe using a define?
> 
>     1869                                 continue;
>     1870 
>     1871                         mbss->offset[data[2]] = cpu_to_le16(data - skb->data);
> --> 1872                         mbss->bitmap |= cpu_to_le32(BIT(data[2]));
>     1873                 }
>     1874         }
>     1875 }
> 
> regards,
> dan carpenter

Attachment: signature.asc
Description: PGP signature

[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux