[bug report] wifi: ath12k: memcpy read overflow
Dan Carpenter
error27 at gmail.com
Thu Feb 16 05:59:44 PST 2023
Hello Kalle Valo,
The patch d889913205cf: "wifi: ath12k: driver for Qualcomm Wi-Fi 7
devices" from Nov 28, 2022, leads to the following Smatch static
checker warning:
drivers/net/wireless/ath/ath12k/mac.c:1636 ath12k_peer_assoc_h_he() warn: 'he_cap->he_cap_elem.mac_cap_info' sometimes too small '6' size = 8
drivers/net/wireless/ath/ath12k/mac.c:1638 ath12k_peer_assoc_h_he() warn: 'he_cap->he_cap_elem.phy_cap_info' sometimes too small '11' size = 12
drivers/net/wireless/ath/ath12k/mac.c
1585 static void ath12k_peer_assoc_h_he(struct ath12k *ar,
1586 struct ieee80211_vif *vif,
1587 struct ieee80211_sta *sta,
1588 struct ath12k_wmi_peer_assoc_arg *arg)
1589 {
1590 const struct ieee80211_sta_he_cap *he_cap = &sta->deflink.he_cap;
1591 int i;
1592 u8 ampdu_factor, rx_mcs_80, rx_mcs_160, max_nss;
1593 u16 mcs_160_map, mcs_80_map;
1594 bool support_160;
1595 u16 v;
1596
1597 if (!he_cap->has_he)
1598 return;
1599
1600 arg->he_flag = true;
1601
1602 support_160 = !!(he_cap->he_cap_elem.phy_cap_info[0] &
1603 IEEE80211_HE_PHY_CAP0_CHANNEL_WIDTH_SET_160MHZ_IN_5G);
1604
1605 /* Supported HE-MCS and NSS Set of peer he_cap is intersection with self he_cp */
1606 mcs_160_map = le16_to_cpu(he_cap->he_mcs_nss_supp.rx_mcs_160);
1607 mcs_80_map = le16_to_cpu(he_cap->he_mcs_nss_supp.rx_mcs_80);
1608
1609 if (support_160) {
1610 for (i = 7; i >= 0; i--) {
1611 u8 mcs_160 = (mcs_160_map >> (2 * i)) & 3;
1612
1613 if (mcs_160 != IEEE80211_HE_MCS_NOT_SUPPORTED) {
1614 rx_mcs_160 = i + 1;
1615 break;
1616 }
1617 }
1618 }
1619
1620 for (i = 7; i >= 0; i--) {
1621 u8 mcs_80 = (mcs_80_map >> (2 * i)) & 3;
1622
1623 if (mcs_80 != IEEE80211_HE_MCS_NOT_SUPPORTED) {
1624 rx_mcs_80 = i + 1;
1625 break;
1626 }
1627 }
1628
1629 if (support_160)
1630 max_nss = min(rx_mcs_80, rx_mcs_160);
1631 else
1632 max_nss = rx_mcs_80;
1633
1634 arg->peer_nss = min(sta->deflink.rx_nss, max_nss);
1635
--> 1636 memcpy(&arg->peer_he_cap_macinfo, he_cap->he_cap_elem.mac_cap_info,
1637 sizeof(arg->peer_he_cap_macinfo));
These buffers are different sizes. I would be surprised if Clang
compiles this. Kees has been trying to address this sort of thing.
1638 memcpy(&arg->peer_he_cap_phyinfo, he_cap->he_cap_elem.phy_cap_info,
1639 sizeof(arg->peer_he_cap_phyinfo));
Same.
1640 arg->peer_he_ops = vif->bss_conf.he_oper.params;
1641
1642 /* the top most byte is used to indicate BSS color info */
1643 arg->peer_he_ops &= 0xffffff;
1644
1645 /* As per section 26.6.1 IEEE Std 802.11ax‐2022, if the Max AMPDU
1646 * Exponent Extension in HE cap is zero, use the arg->peer_max_mpdu
regards,
dan carpenter
More information about the ath12k
mailing list