Dmitry Antipov <dmantipov@xxxxxxxxx> writes: > Looking through the following: > > -> ath10k_vif_wow_set_wakeups() > -> ath10k_wow_convert_8023_to_80211() > ... > memcpy(..., ..., pattern_len); [1] > ... > <- ... > if (WARN_ON(...packet_len > WOW_MAX_PATTERN_SIZE)) [2] > ... > > I've found that [2] makes no sense after [1]. I.e. check for possible > buffer overflow should be performed prior to touching both 'pattern' and > 'mask' buffers with 'memcpy()' in 'ath10k_wow_convert_8023_to_80211()'. > Compile tested only. > > Found by Linux Verification Center (linuxtesting.org) with SVACE. > > Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx> This code path should be tested on a real device, can anyone help with that? -- https://patchwork.kernel.org/project/linux-wireless/list/ https://wireless.wiki.kernel.org/en/developers/documentation/submittingpatches
