On Wed, 2024-04-24 at 15:01 -0700, Kees Cook wrote:
> Before request->channels[] can be used, request->n_channels must be set.
> Additionally, address calculations for memory after the "channels" array
> need to be calculated from the allocation base ("request") rather than
> via the first "out of bounds" index of "channels", otherwise run-time
> bounds checking will throw a warning.
>
> Reported-by: Nathan Chancellor <nathan@xxxxxxxxxx>
> Fixes: e3eac9f32ec0 ("wifi: cfg80211: Annotate struct cfg80211_scan_request with __counted_by")
While I was weighing whether or not to apply this for 6.9 still ...
> + request->n_channels = n_channels;
>
> if (n_ssids)
> - request->ssids = (void *)&request->channels[n_channels];
> + request->ssids = (void *)request + ssids_offset;
This really doesn't even seem right, shouldn't do pointer arithmetic on
void pointers. Same applies below too.
And also if you set n_channels before, perhaps it's actually OK to get a
pointer to *after*? Not sure though.
johannes
