Re: [PATCH 1/2] staging: rtl8192u: Refactoring setKey function

From: Dan Carpenter
Date: Tue Apr 14 2020 - 14:32:45 EST


On Tue, Apr 14, 2020 at 09:01:18AM -0700, Joe Perches wrote:
> On Tue, 2020-04-14 at 15:33 +0300, Dan Carpenter wrote:
> > On Mon, Apr 13, 2020 at 03:01:28AM +0000, Camylla Goncalves Cantanheide wrote:
> > > +
> > > + for (i = 2; i < CAM_CONTENT_COUNT; i++) {
> > > + write_nic_dword(dev, WCAMI, *keycontent++);
> >
> > This code was wrong in the original as well, but now that I see the bug
> > let's fix it. CAM_CONTENT_COUNT is 8. 8 - 2 = 6. We are writing 6
> > u32 variables to write_nic_dword(). But the *keycontent buffer only has
> > 4 u32 variables so it is a buffer overflow.
>
> Did you find the overflow with smatch?

No. Smatch isn't smart enough to understand that *(keycontent + i - 2)
is an array overflow. It thinks *(keycontent + i) is an array overflow
but the "- 2" confuses it. Also Smatch isn't smart enough to parse the
*keycontent++. It takes a shortcut when it parses loops.

To be honest, I just didn't like starting the loop from 2 and was trying
to see if there was a better define to use.

I agree that your solution of making the buffer larger is probably the
safest approach given that none of us really know the hardware.

regards,
dan carpenter