[bug report] wifi: ath12k: memcpy read overflow

[Dan Carpenter]

Hello Kalle Valo,

The patch d889913205cf: "wifi: ath12k: driver for Qualcomm Wi-Fi 7
devices" from Nov 28, 2022, leads to the following Smatch static
checker warning:

drivers/net/wireless/ath/ath12k/mac.c:1636 ath12k_peer_assoc_h_he() warn: 'he_cap->he_cap_elem.mac_cap_info' sometimes too small '6' size = 8
drivers/net/wireless/ath/ath12k/mac.c:1638 ath12k_peer_assoc_h_he() warn: 'he_cap->he_cap_elem.phy_cap_info' sometimes too small '11' size = 12

drivers/net/wireless/ath/ath12k/mac.c
    1585 static void ath12k_peer_assoc_h_he(struct ath12k *ar,
    1586                                    struct ieee80211_vif *vif,
    1587                                    struct ieee80211_sta *sta,
    1588                                    struct ath12k_wmi_peer_assoc_arg *arg)
    1589 {
    1590         const struct ieee80211_sta_he_cap *he_cap = &sta->deflink.he_cap;
    1591         int i;
    1592         u8 ampdu_factor, rx_mcs_80, rx_mcs_160, max_nss;
    1593         u16 mcs_160_map, mcs_80_map;
    1594         bool support_160;
    1595         u16 v;
    1596 
    1597         if (!he_cap->has_he)
    1598                 return;
    1599 
    1600         arg->he_flag = true;
    1601 
    1602         support_160 = !!(he_cap->he_cap_elem.phy_cap_info[0] &
    1603                   IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G);
    1604 
    1605         /* Supported HE-MCS and NSS Set of peer he_cap is intersection with self he_cp */
    1606         mcs_160_map = le16_to_cpu(he_cap->he_mcs_nss_supp.rx_mcs_160);
    1607         mcs_80_map = le16_to_cpu(he_cap->he_mcs_nss_supp.rx_mcs_80);
    1608 
    1609         if (support_160) {
    1610                 for (i = 7; i >= 0; i--) {
    1611                         u8 mcs_160 = (mcs_160_map >> (2 * i)) & 3;
    1612 
    1613                         if (mcs_160 != IEEE80211_HE_MCS_NOT_SUPPORTED) {
    1614                                 rx_mcs_160 = i + 1;
    1615                                 break;
    1616                         }
    1617                 }
    1618         }
    1619 
    1620         for (i = 7; i >= 0; i--) {
    1621                 u8 mcs_80 = (mcs_80_map >> (2 * i)) & 3;
    1622 
    1623                 if (mcs_80 != IEEE80211_HE_MCS_NOT_SUPPORTED) {
    1624                         rx_mcs_80 = i + 1;
    1625                         break;
    1626                 }
    1627         }
    1628 
    1629         if (support_160)
    1630                 max_nss = min(rx_mcs_80, rx_mcs_160);
    1631         else
    1632                 max_nss = rx_mcs_80;
    1633 
    1634         arg->peer_nss = min(sta->deflink.rx_nss, max_nss);
    1635 
--> 1636         memcpy(&arg->peer_he_cap_macinfo, he_cap->he_cap_elem.mac_cap_info,
    1637                sizeof(arg->peer_he_cap_macinfo));

These buffers are different sizes.  I would be surprised if Clang
compiles this.  Kees has been trying to address this sort of thing.

    1638         memcpy(&arg->peer_he_cap_phyinfo, he_cap->he_cap_elem.phy_cap_info,
    1639                sizeof(arg->peer_he_cap_phyinfo));

Same.

    1640         arg->peer_he_ops = vif->bss_conf.he_oper.params;
    1641 
    1642         /* the top most byte is used to indicate BSS color info */
    1643         arg->peer_he_ops &= 0xffffff;
    1644 
    1645         /* As per section 26.6.1 IEEE Std 802.11ax‐2022, if the Max AMPDU
    1646          * Exponent Extension in HE cap is zero, use the arg->peer_max_mpdu
   
regards,
dan carpenter