From dan.carpenter at oracle.com Tue Oct 25 06:34:11 2016 From: dan.carpenter at oracle.com (Dan Carpenter) Date: Tue, 25 Oct 2016 16:34:11 +0300 Subject: [bug report] libertas: if_spi, driver for libertas GSPI devices Message-ID: <20161025133158.GA30666@elgon.mountain> [ Old code, sorry. -dan ] Hello Colin McCabe, The patch d2b21f191753: "libertas: if_spi, driver for libertas GSPI devices" from Jan 9, 2009, leads to the following static checker warning: drivers/net/wireless/marvell/libertas/if_spi.c:731 if_spi_c2h_cmd() error: __memcpy() 'priv->resp_buf[i]' too small (2312 vs 2400) drivers/net/wireless/marvell/libertas/if_spi.c 704 /* How many bytes are there to read? */ 705 err = spu_read_u16(card, IF_SPI_SCRATCH_2_REG, &len); 706 if (err) 707 goto out; 708 if (!len) { 709 netdev_err(priv->dev, "%s: error: card has no data for host\n", 710 __func__); 711 err = -EINVAL; 712 goto out; 713 } else if (len > IF_SPI_CMD_BUF_SIZE) { We cap "len" at 2400 bytes. 714 netdev_err(priv->dev, 715 "%s: error: response packet too large: %d bytes, but maximum is %d\n", 716 __func__, len, IF_SPI_CMD_BUF_SIZE); 717 err = -EINVAL; 718 goto out; 719 } 720 721 /* Read the data from the WLAN module into our command buffer */ 722 err = spu_read(card, IF_SPI_CMD_RDWRPORT_REG, 723 card->cmd_buffer, ALIGN(len, 4)); 724 if (err) 725 goto out; 726 727 spin_lock_irqsave(&priv->driver_lock, flags); 728 i = (priv->resp_idx == 0) ? 1 : 0; 729 BUG_ON(priv->resp_len[i]); 730 priv->resp_len[i] = len; 731 memcpy(priv->resp_buf[i], card->cmd_buffer, len); ^^^^^^^^^^^^^^^^^ But ->resp_buf[i] only has LBS_UPLD_SIZE (2313) bytes. 732 lbs_notify_command_response(priv, i); 733 spin_unlock_irqrestore(&priv->driver_lock, flags); 734 735 out: 736 if (err) 737 netdev_err(priv->dev, "%s: err=%d\n", __func__, err); 738 lbs_deb_leave(LBS_DEB_SPI); 739 return err; 740 } regards, dan carpenter