Re: [PATCH 1/2] staging: rtl8192u: Refactoring setKey function

[Dan Carpenter]

On Tue, Apr 14, 2020 at 09:01:18AM -0700, Joe Perches wrote:
> On Tue, 2020-04-14 at 15:33 +0300, Dan Carpenter wrote:
> > On Mon, Apr 13, 2020 at 03:01:28AM +0000, Camylla Goncalves Cantanheide wrote:
> > > +
> > > +	for (i = 2; i < CAM_CONTENT_COUNT; i++) {
> > > +		write_nic_dword(dev, WCAMI, *keycontent++);
> > 
> > This code was wrong in the original as well, but now that I see the bug
> > let's fix it.  CAM_CONTENT_COUNT is 8.  8 - 2 = 6.  We are writing 6
> > u32 variables to write_nic_dword().  But the *keycontent buffer only has
> > 4 u32 variables so it is a buffer overflow.
> 
> Did you find the overflow with smatch?

No.  Smatch isn't smart enough to understand that *(keycontent + i - 2)
is an array overflow.  It thinks *(keycontent + i) is an array overflow
but the "- 2" confuses it.  Also Smatch isn't smart enough to parse the
*keycontent++.  It takes a shortcut when it parses loops.

To be honest, I just didn't like starting the loop from 2 and was trying
to see if there was a better define to use.

I agree that your solution of making the buffer larger is probably the
safest approach given that none of us really know the hardware.

regards,
dan carpenter