[PATCH] cfg80211: Fix array-bounds warning in fragment copy

From: Matthias Kaehlcke
Date: Fri Mar 24 2017 - 21:08:15 EST

Next message: Steven Rostedt: "Re: lockdep warning: console vs. mem hotplug"
Previous message: Stephen Boyd: "[GIT PULL] clk fixes for v4.11-rc3"
Next in thread: Johannes Berg: "Re: [PATCH] cfg80211: Fix array-bounds warning in fragment copy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

__ieee80211_amsdu_copy_frag intentionally initializes a pointer to
array[-1] to increment it later to valid values. clang rightfully
generates an array-bounds warning on the initialization statement.
Work around this by initializing the pointer to array[0] and
decrementing it later, which allows to leave the rest of the
algorithm untouched.

Signed-off-by: Matthias Kaehlcke <mka@xxxxxxxxxxxx>
---
net/wireless/util.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 68e5f2ecee1a..d3d459e4a070 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -659,7 +659,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
int offset, int len)
{
struct skb_shared_info *sh = skb_shinfo(skb);
- const skb_frag_t *frag = &sh->frags[-1];
+ const skb_frag_t *frag = &sh->frags[0];
struct page *frag_page;
void *frag_ptr;
int frag_len, frag_size;
@@ -669,6 +669,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
frag_page = virt_to_head_page(skb->head);
frag_ptr = skb->data;
frag_size = head_size;
+ frag--;

while (offset >= frag_size) {
offset -= frag_size;
--
2.12.1.578.ge9c3154ca4-goog

Next message: Steven Rostedt: "Re: lockdep warning: console vs. mem hotplug"
Previous message: Stephen Boyd: "[GIT PULL] clk fixes for v4.11-rc3"
Next in thread: Johannes Berg: "Re: [PATCH] cfg80211: Fix array-bounds warning in fragment copy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]