Hello Miri Korenblit,
The patch 135065837310: "wifi: iwlwifi: support link_id in
SESSION_PROTECTION cmd" from Oct 17, 2023 (linux-next), leads to the
following Smatch static checker warning:
drivers/net/wireless/intel/iwlwifi/mvm/time-event.c:705 iwl_mvm_get_session_prot_id()
warn: unsigned 'link_id' is never less than zero.
drivers/net/wireless/intel/iwlwifi/mvm/time-event.c
693 static int iwl_mvm_get_session_prot_id(struct iwl_mvm *mvm,
694 struct ieee80211_vif *vif,
695 u32 link_id)
696 {
697 struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif);
698 int ver = iwl_fw_lookup_cmd_ver(mvm->fw,
699 WIDE_ID(MAC_CONF_GROUP,
700 SESSION_PROTECTION_CMD), 1);
701
702 if (ver < 2)
703 return mvmvif->id;
704
--> 705 if (WARN(link_id < 0 || !mvmvif->link[link_id],
link_id can't be less than zero. But the bugs are deeper than that.
In iwl_mvm_te_clear_data() we set:
te_data->link_id = -1;
But here link_id is an u8 so really we're setting it to 255 instead of
-1. So that means that the mvmvif->link[link_id] is an out of bounds
access.
And generally I know from the type that link_id is 0-255 but if it's
more than 15 then it's an out of bounds access. I couldn't figure out
exactly where this is set so it's hard to tell if there are other out
of bounds accesses as well.
706 "Invalid link ID for session protection: %u\n", link_id))
707 return -EINVAL;
708
709 if (WARN(ieee80211_vif_is_mld(vif) &&
710 !(vif->active_links & BIT(link_id)),
711 "Session Protection on an inactive link: %u\n", link_id))
712 return -EINVAL;
713
714 return mvmvif->link[link_id]->fw_link_id;
715 }
regards,
dan carpenter
