Re: [PATCH v2] staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()

Next message: Zilin Guan: "[PATCH v4 1/2] hfsplus: fix held lock freed on hfsplus_fill_super()"
Previous message: Eric Biggers: "[PATCH] fscrypt: use AES library for v1 key derivation"
In reply to: Greg KH: "Re: [PATCH v2] staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()"
Next in thread: YuChen Lin: "Re: [PATCH v2] staging: rtl8723bs: initialize le_tmp64 in rtw_BIP_verify()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Dan Carpenter

Date: Sat Mar 21 2026 - 03:58:11 EST

On Fri, Mar 20, 2026 at 06:29:13PM +0100, Greg KH wrote:
> On Sat, Mar 21, 2026 at 01:25:02AM +0800, Lin YuChen wrote:
> > Initialize le_tmp64 to zero in rtw_BIP_verify() to prevent using
> > uninitialized data.
> >
> > Smatch warns that only 6 bytes are copied to this 8-byte (u64)
> > variable, leaving the last two bytes uninitialized:
> >
> > drivers/staging/rtl8723bs/core/rtw_security.c:1308 rtw_BIP_verify()
> > warn: not copying enough bytes for '&le_tmp64' (8 vs 6 bytes)
> >
> > Initializing the variable at the start of the function fixes this
> > warning and ensures predictable behavior.
>
> Which makes me wonder how this ever worked at all, if random data was in
> those 2 bytes.

These days, everyone sane zeroes their stack variables, but this driver
is older than the zeroing code so it's a puzzling thing.

I could imagine a couple different ways that the code might be able to
work even with uninitialized data... It wouldn't surprise me if the
check for:

/* BIP packet number should bigger than previous BIP packet */

is some kind of work around for bug?

regards,
dan carpenter