On Wed, 2011-12-07 at 11:59 +0300, Dan Carpenter wrote:
> Smatch complains about iwlagn_rx_calib_result() it would be bad for
> "len" to be negative.
>
> drivers/net/wireless/iwlwifi/iwl-ucode.c
>
> 299 int iwlagn_rx_calib_result(struct iwl_priv *priv,
> 300 struct iwl_rx_mem_buffer *rxb,
> 301 struct iwl_device_cmd *cmd)
> 302 {
> 303 struct iwl_rx_packet *pkt = rxb_addr(rxb);
> 304 struct iwl_calib_hdr *hdr = (struct iwl_calib_hdr *)pkt->u.raw;
> 305 int len = le32_to_cpu(pkt->len_n_flags) & FH_RSCSR_FRAME_SIZE_MSK;
> 306
> 307 /* reduce the size of the length field itself */
> 308 len -= 4;
> ^^^^^^^^
> Where does this 4 come from? I've tried to determine what the minimum
> size of "le32_to_cpu(pkt->len_n_flags) & FH_RSCSR_FRAME_SIZE_MSK" is but
> I got lost. Can it ever be less than 4?
4 is sizeof(struct iwl_cmd_header) I think.
If the frame size ends up <= 4, that would be a major uCode/device bug
since any frame has to start with len_n_flags & the header, of which the
len_n_flags isn't included (see struct iwl_rx_packet).
johannes
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
