[bug report] libertas: if_spi, driver for libertas GSPI devices

Fri Aug 29 00:08:43 PDT 2025

Hello libertas devs,

Ancient commit d2b21f191753 ("libertas: if_spi, driver for libertas
GSPI devices") from Jan 9, 2009 (linux-next), leads to the following
Smatch static checker warning:

	drivers/net/wireless/marvell/libertas/if_spi.c:719 if_spi_c2h_cmd()
	error: '__memcpy()' 'priv->resp_buf[i]' copy overflow (2312 vs 2400)

drivers/net/wireless/marvell/libertas/if_spi.c
    670 static int if_spi_c2h_cmd(struct if_spi_card *card)
    671 {
    672         struct lbs_private *priv = card->priv;
    673         unsigned long flags;
    674         int err = 0;
    675         u16 len;
    676         u8 i;
    677 
    678         /*
    679          * We need a buffer big enough to handle whatever people send to
    680          * hw_host_to_card
    681          */
    682         BUILD_BUG_ON(IF_SPI_CMD_BUF_SIZE < LBS_CMD_BUFFER_SIZE);
    683         BUILD_BUG_ON(IF_SPI_CMD_BUF_SIZE < LBS_UPLD_SIZE);
    684 
    685         /*
    686          * It's just annoying if the buffer size isn't a multiple of 4, because
    687          * then we might have len < IF_SPI_CMD_BUF_SIZE but
    688          * ALIGN(len, 4) > IF_SPI_CMD_BUF_SIZE
    689          */
    690         BUILD_BUG_ON(IF_SPI_CMD_BUF_SIZE % 4 != 0);
    691 
    692         /* How many bytes are there to read? */
    693         err = spu_read_u16(card, IF_SPI_SCRATCH_2_REG, &len);
    694         if (err)
    695                 goto out;
    696         if (!len) {
    697                 netdev_err(priv->dev, "%s: error: card has no data for host\n",
    698                            __func__);
    699                 err = -EINVAL;
    700                 goto out;
    701         } else if (len > IF_SPI_CMD_BUF_SIZE) {
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^

The problem is that this is 2400 but ...

    702                 netdev_err(priv->dev,
    703                            "%s: error: response packet too large: %d bytes, but maximum is %d\n",
    704                            __func__, len, IF_SPI_CMD_BUF_SIZE);
    705                 err = -EINVAL;
    706                 goto out;
    707         }
    708 
    709         /* Read the data from the WLAN module into our command buffer */
    710         err = spu_read(card, IF_SPI_CMD_RDWRPORT_REG,
    711                                 card->cmd_buffer, ALIGN(len, 4));
    712         if (err)
    713                 goto out;
    714 
    715         spin_lock_irqsave(&priv->driver_lock, flags);
    716         i = (priv->resp_idx == 0) ? 1 : 0;
    717         BUG_ON(priv->resp_len[i]);
    718         priv->resp_len[i] = len;
--> 719         memcpy(priv->resp_buf[i], card->cmd_buffer, len);
                       ^^^^^^^^^^^^^^^^^

if len is more than LBS_UPLD_SIZE (2312) then it leads to a buffer
overflow here.

    720         lbs_notify_command_response(priv, i);
    721         spin_unlock_irqrestore(&priv->driver_lock, flags);
    722 
    723 out:
    724         if (err)
    725                 netdev_err(priv->dev, "%s: err=%d\n", __func__, err);
    726 
    727         return err;
    728 }

regards,
dan carpenter