Search Linux Wireless

[bug report] wifi: mwifiex: add rgpower table loading support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello Stefan Kerkmann,

Commit 7b6f16a25806 ("wifi: mwifiex: add rgpower table loading
support") from Aug 4, 2025 (linux-next), leads to the following
(UNPUBLISHED) Smatch static checker warning:

	drivers/net/wireless/marvell/mwifiex/sta_cmd.c:1540 mwifiex_send_rgpower_table()
	warn: not copying enough bytes for '&hostcmd->len' (4 vs 2 bytes)

drivers/net/wireless/marvell/mwifiex/sta_cmd.c
    1509 int mwifiex_send_rgpower_table(struct mwifiex_private *priv, const u8 *data,
    1510                                 const size_t size)
    1511 {
    1512         int ret = 0;
    1513         bool start_raw = false;
    1514         u8 *ptr, *token, *pos = NULL;
    1515         u8 *_data __free(kfree) = NULL;
    1516         struct mwifiex_adapter *adapter = priv->adapter;
    1517         struct mwifiex_ds_misc_cmd *hostcmd __free(kfree) = NULL;
    1518 
    1519         hostcmd = kzalloc(sizeof(*hostcmd), GFP_KERNEL);
    1520         if (!hostcmd)
    1521                 return -ENOMEM;
    1522 
    1523         _data = kmemdup(data, size, GFP_KERNEL);
    1524         if (!_data)
    1525                 return -ENOMEM;
    1526 
    1527         pos = _data;
    1528         ptr = hostcmd->cmd;
    1529         while ((pos - _data) < size) {
    1530                 ret = mwifiex_rgpower_table_advance_to_content(&pos, _data, size);
    1531                 if (ret) {
    1532                         mwifiex_dbg(
    1533                                 adapter, ERROR,
    1534                                 "%s: failed to advance to content in rgpower table\n",
    1535                                 __func__);
    1536                         return ret;
    1537                 }
    1538 
    1539                 if (*pos == '}' && start_raw) {
--> 1540                         memcpy(&hostcmd->len, &hostcmd->cmd[2], sizeof(u16));

hostcmd->len is a u32.  Copying the length into the first two bytes is an
endian bug.  It won't work on big endian systems.

    1541                         ret = mwifiex_send_cmd(priv, 0, 0, 0, hostcmd, false);
    1542                         if (ret) {
    1543                                 mwifiex_dbg(adapter, ERROR,
    1544                                             "%s: failed to send hostcmd %d\n",
    1545                                             __func__, ret);
    1546                                 return ret;
    1547                         }
    1548 
    1549                         memset(hostcmd->cmd, 0, MWIFIEX_SIZE_OF_CMD_BUFFER);
    1550                         ptr = hostcmd->cmd;
    1551                         start_raw = false;
    1552                         pos++;
    1553                         continue;
    1554                 }
    1555 

regards,
dan carpenter
[Index of Archives]     [Linux Host AP]     [ATH6KL]     [Linux Wireless Personal Area Network]     [Linux Bluetooth]     [Wireless Regulations]     [Linux Netdev]     [Kernel Newbies]     [Linux Kernel]     [IDE]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite Hiking]     [MIPS Linux]     [ARM Linux]     [Linux RAID]

  Powered by Linux