Re: [PATCH wireless-next] brcmsmac: avoid 512 byte stack variable

Thu, 07 Feb 2013 12:25:29 -0800 

On 02/07/2013 09:13 PM, Tim Gardner wrote:
> Dynamically allocate the probe response template which
> avoids potential stack corruption. Observed with smatch:
> 
> drivers/net/wireless/brcm80211/brcmsmac/main.c:7412 
> brcms_c_bss_update_probe_resp()
>  warn: 'prb_resp' puts 512 bytes on stack
> 
> Cc: Brett Rudley <[email protected]>
> Cc: Arend van Spriel <[email protected]>
> Cc: "Franky (Zhenhui) Lin" <[email protected]>
> Cc: Hante Meuleman <[email protected]>
> Cc: "John W. Linville" <[email protected]>
> Cc: Seth Forshee <[email protected]>
> Cc: Pieter-Paul Giesberts <[email protected]>
> Cc: Hauke Mehrtens <[email protected]>
> Cc: [email protected]
> Cc: [email protected]
> Cc: [email protected]

One comment below. When taken care of feel free to add:

Acked-by: Arend van Spriel <[email protected]>
> Signed-off-by: Tim Gardner <[email protected]>
> ---
>  drivers/net/wireless/brcm80211/brcmsmac/main.c |   11 ++++++++++-
>  1 file changed, 10 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c 
> b/drivers/net/wireless/brcm80211/brcmsmac/main.c
> index c26992a..e392e76 100644
> --- a/drivers/net/wireless/brcm80211/brcmsmac/main.c
> +++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c
> @@ -7408,9 +7408,16 @@ brcms_c_bss_update_probe_resp(struct brcms_c_info *wlc,
>                             struct brcms_bss_cfg *cfg,
>                             bool suspend)
>  {
> -     u16 prb_resp[BCN_TMPL_LEN / 2];
> +     u16 *prb_resp;
>       int len = BCN_TMPL_LEN;
>  
> +     prb_resp = kmalloc(BCN_TMPL_LEN, GFP_ATOMIC);
> +     if (!prb_resp) {
> +             wiphy_err(wlc->wiphy, "wl: %s: failed to alloc %u bytes\n",
> +                     __func__, BCN_TMPL_LEN);

I believe the kmalloc() call spews enough info upon allocation failure
so please remove the error message here.

> +             return;
> +     }
> +
>       /*
>        * write the probe response to hardware, or save in
>        * the config structure
> @@ -7444,6 +7451,8 @@ brcms_c_bss_update_probe_resp(struct brcms_c_info *wlc,
>  
>       if (suspend)
>               brcms_c_enable_mac(wlc);
> +
> +     kfree(prb_resp);
>  }
>  
>  void brcms_c_update_probe_resp(struct brcms_c_info *wlc, bool suspend)
> 


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Reply via email to