Re: [RFC] wifi: mwifiex: Asking for some light on this, please :)

From: Gustavo A. R. Silva
Date: Thu Aug 24 2023 - 23:17:44 EST

Next message: Yu Kuai: "[PATCH -next v4 0/7] md: make rdev addition and removal independent from daemon thread"
Previous message: Yu Kuai: "[PATCH -next v2 6/7] md: don't check 'mddev->pers' from suspend_hi_store()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Make the mwifiex_dbg() into a warning though. This is an error
condition and shouldn't be hidden.

                 mwifiex_dbg(priv->adapter, INFO,
                             "%pM tid=%d seq_num=%d bitmap_len=%d\n",
                             tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num,

I wanted to used `sizeof(*tlv_rxba) + tlv_bitmap_len` here instead of
`sizeof(tlv_rxba->header) + tlv_len` to avoid any issues in case there
is any (buggy) discrepancy between `tlv_len` and `tlv_bitmap_len`.
This is when for some (weird) reason
        `tlv_len - (sizeof(*tlv_rxba) - sizeof(tlv_rxba->header)) != tlv_bitmap_len`

tlv_len absolutely should also be checked. But you don't need that
condition, just do the same thing right after tlv_len is retrieved from
the header:

if (sizeof(tlv_rxba->header) + tlv_len > tlv_buf_left) {
<warn>
return;
}

Thanks for all the feedback, Dan:

https://lore.kernel.org/linux-hardening/cover.1692931954.git.gustavoars@xxxxxxxxxx/

--
Gustavo

Next message: Yu Kuai: "[PATCH -next v4 0/7] md: make rdev addition and removal independent from daemon thread"
Previous message: Yu Kuai: "[PATCH -next v2 6/7] md: don't check 'mddev->pers' from suspend_hi_store()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]