Hello Johannes Berg,
The patch 325839da9581: "wifi: cfg80211: simplify
cfg80211_mlme_auth() prototype" from Jun 1, 2022, leads to the
following Smatch static checker warning:
net/wireless/nl80211.c:10310 nl80211_authenticate()
warn: assigning signed to unsigned: 'req.key_idx = key.idx' '(-1)-3'
net/wireless/nl80211.c
10192 static int nl80211_authenticate(struct sk_buff *skb, struct genl_info *info)
10193 {
10194 struct cfg80211_registered_device *rdev = info->user_ptr[0];
10195 struct net_device *dev = info->user_ptr[1];
10196 struct ieee80211_channel *chan;
10197 const u8 *bssid, *ssid;
10198 int err, ssid_len;
10199 enum nl80211_auth_type auth_type;
10200 struct key_parse key;
10201 bool local_state_change;
10202 struct cfg80211_auth_request req = {};
10203 u32 freq;
10204
10205 if (!info->attrs[NL80211_ATTR_MAC])
10206 return -EINVAL;
10207
10208 if (!info->attrs[NL80211_ATTR_AUTH_TYPE])
10209 return -EINVAL;
10210
10211 if (!info->attrs[NL80211_ATTR_SSID])
10212 return -EINVAL;
10213
10214 if (!info->attrs[NL80211_ATTR_WIPHY_FREQ])
10215 return -EINVAL;
10216
10217 err = nl80211_parse_key(info, &key);
10218 if (err)
10219 return err;
10220
10221 if (key.idx >= 0) {
10222 if (key.type != -1 && key.type != NL80211_KEYTYPE_GROUP)
10223 return -EINVAL;
10224 if (!key.p.key || !key.p.key_len)
10225 return -EINVAL;
10226 if ((key.p.cipher != WLAN_CIPHER_SUITE_WEP40 ||
10227 key.p.key_len != WLAN_KEY_LEN_WEP40) &&
10228 (key.p.cipher != WLAN_CIPHER_SUITE_WEP104 ||
10229 key.p.key_len != WLAN_KEY_LEN_WEP104))
10230 return -EINVAL;
10231 if (key.idx > 3)
10232 return -EINVAL;
10233 } else {
10234 key.p.key_len = 0;
10235 key.p.key = NULL;
Apparently key.idx can be -1 on this path
10236 }
10237
10238 if (key.idx >= 0) {
10239 int i;
10240 bool ok = false;
10241
10242 for (i = 0; i < rdev->wiphy.n_cipher_suites; i++) {
10243 if (key.p.cipher == rdev->wiphy.cipher_suites[i]) {
10244 ok = true;
10245 break;
10246 }
10247 }
10248 if (!ok)
10249 return -EINVAL;
10250 }
And here
10251
10252 if (!rdev->ops->auth)
10253 return -EOPNOTSUPP;
10254
10255 if (dev->ieee80211_ptr->iftype != NL80211_IFTYPE_STATION &&
10256 dev->ieee80211_ptr->iftype != NL80211_IFTYPE_P2P_CLIENT)
10257 return -EOPNOTSUPP;
10258
10259 bssid = nla_data(info->attrs[NL80211_ATTR_MAC]);
10260 freq = MHZ_TO_KHZ(nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ]));
10261 if (info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET])
10262 freq +=
10263 nla_get_u32(info->attrs[NL80211_ATTR_WIPHY_FREQ_OFFSET]);
10264
10265 chan = nl80211_get_valid_chan(&rdev->wiphy, freq);
10266 if (!chan)
10267 return -EINVAL;
10268
10269 ssid = nla_data(info->attrs[NL80211_ATTR_SSID]);
10270 ssid_len = nla_len(info->attrs[NL80211_ATTR_SSID]);
10271
10272 if (info->attrs[NL80211_ATTR_IE]) {
10273 req.ie = nla_data(info->attrs[NL80211_ATTR_IE]);
10274 req.ie_len = nla_len(info->attrs[NL80211_ATTR_IE]);
10275 }
10276
10277 auth_type = nla_get_u32(info->attrs[NL80211_ATTR_AUTH_TYPE]);
10278 if (!nl80211_valid_auth_type(rdev, auth_type, NL80211_CMD_AUTHENTICATE))
10279 return -EINVAL;
10280
10281 if ((auth_type == NL80211_AUTHTYPE_SAE ||
10282 auth_type == NL80211_AUTHTYPE_FILS_SK ||
10283 auth_type == NL80211_AUTHTYPE_FILS_SK_PFS ||
10284 auth_type == NL80211_AUTHTYPE_FILS_PK) &&
10285 !info->attrs[NL80211_ATTR_AUTH_DATA])
10286 return -EINVAL;
10287
10288 if (info->attrs[NL80211_ATTR_AUTH_DATA]) {
10289 if (auth_type != NL80211_AUTHTYPE_SAE &&
10290 auth_type != NL80211_AUTHTYPE_FILS_SK &&
10291 auth_type != NL80211_AUTHTYPE_FILS_SK_PFS &&
10292 auth_type != NL80211_AUTHTYPE_FILS_PK)
10293 return -EINVAL;
10294 req.auth_data = nla_data(info->attrs[NL80211_ATTR_AUTH_DATA]);
10295 req.auth_data_len = nla_len(info->attrs[NL80211_ATTR_AUTH_DATA]);
10296 }
10297
10298 local_state_change = !!info->attrs[NL80211_ATTR_LOCAL_STATE_CHANGE];
10299
10300 /*
10301 * Since we no longer track auth state, ignore
10302 * requests to only change local state.
10303 */
10304 if (local_state_change)
10305 return 0;
10306
10307 req.auth_type = auth_type;
10308 req.key = key.p.key;
10309 req.key_len = key.p.key_len;
--> 10310 req.key_idx = key.idx;
So do we really want to set "req.key_idx to (u8)-1" here?
10311 req.link_id = nl80211_link_id_or_invalid(info->attrs);
10312 if (req.link_id >= 0) {
10313 if (!info->attrs[NL80211_ATTR_MLD_ADDR])
10314 return -EINVAL;
10315 req.ap_mld_addr = nla_data(info->attrs[NL80211_ATTR_MLD_ADDR]);
10316 }
10317
10318 req.bss = cfg80211_get_bss(&rdev->wiphy, chan, bssid, ssid, ssid_len,
10319 IEEE80211_BSS_TYPE_ESS,
10320 IEEE80211_PRIVACY_ANY);
10321 if (!req.bss)
10322 return -ENOENT;
10323
10324 wdev_lock(dev->ieee80211_ptr);
10325 err = cfg80211_mlme_auth(rdev, dev, &req);
10326 wdev_unlock(dev->ieee80211_ptr);
10327
10328 cfg80211_put_bss(&rdev->wiphy, req.bss);
10329
10330 return err;
10331 }
regards,
dan carpenter
