| Message ID | 20210617171317.3410722-1-keescook@chromium.org (mailing list archive) |
|---|---|
| State | Awaiting Upstream |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | rtlwifi: rtl8192de: Fully initialize curvecount_val | expand |
| Context | Check | Description |
|---|---|---|
| netdev/tree_selection | success | Not a local patch |
On 6/17/21 12:13 PM, Kees Cook wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), memmove(), and memset(), avoid > intentionally writing across neighboring array fields. > > The size argument to memset() is bytes, but the array element size > of curvecount_val is u32, so "CV_CURVE_CNT * 2" was only 1/4th of the > contents of curvecount_val. Adjust memset() to wipe full buffer size. > > Signed-off-by: Kees Cook <keescook@chromium.org> > --- > drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c > index 68ec009ea157..76dd881ef9bb 100644 > --- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c > +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c > @@ -2574,7 +2574,7 @@ static void _rtl92d_phy_lc_calibrate_sw(struct ieee80211_hw *hw, bool is2t) > RTPRINT(rtlpriv, FINIT, INIT_IQK, > "path-B / 2.4G LCK\n"); > } > - memset(&curvecount_val[0], 0, CV_CURVE_CNT * 2); > + memset(curvecount_val, 0, sizeof(curvecount_val)); > /* Set LC calibration off */ > rtl_set_rfreg(hw, (enum radio_path)index, RF_CHNLBW, > 0x08000, 0x0); > Reviewed-by: Larry Finger <Larry.Finger@lwfinger.net>
Kees Cook <keescook@chromium.org> wrote: > In preparation for FORTIFY_SOURCE performing compile-time and run-time > field bounds checking for memcpy(), memmove(), and memset(), avoid > intentionally writing across neighboring array fields. > > The size argument to memset() is bytes, but the array element size > of curvecount_val is u32, so "CV_CURVE_CNT * 2" was only 1/4th of the > contents of curvecount_val. Adjust memset() to wipe full buffer size. > > Signed-off-by: Kees Cook <keescook@chromium.org> > Reviewed-by: Larry Finger <Larry.Finger@lwfinger.net> Patch applied to wireless-drivers-next.git, thanks. 0d5e743db480 rtlwifi: rtl8192de: Fully initialize curvecount_val
diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c index 68ec009ea157..76dd881ef9bb 100644 --- a/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c +++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c @@ -2574,7 +2574,7 @@ static void _rtl92d_phy_lc_calibrate_sw(struct ieee80211_hw *hw, bool is2t) RTPRINT(rtlpriv, FINIT, INIT_IQK, "path-B / 2.4G LCK\n"); } - memset(&curvecount_val[0], 0, CV_CURVE_CNT * 2); + memset(curvecount_val, 0, sizeof(curvecount_val)); /* Set LC calibration off */ rtl_set_rfreg(hw, (enum radio_path)index, RF_CHNLBW, 0x08000, 0x0);
In preparation for FORTIFY_SOURCE performing compile-time and run-time field bounds checking for memcpy(), memmove(), and memset(), avoid intentionally writing across neighboring array fields. The size argument to memset() is bytes, but the array element size of curvecount_val is u32, so "CV_CURVE_CNT * 2" was only 1/4th of the contents of curvecount_val. Adjust memset() to wipe full buffer size. Signed-off-by: Kees Cook <keescook@chromium.org> --- drivers/net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)