From f9b2a2b77179ff2c220ee769dc8abb998afc4ef5 Mon Sep 17 00:00:00 2001 From: Albert Cano Date: Wed, 29 Aug 2018 09:04:27 +0100 Subject: [PATCH] [9610] wlbt: fix prevent issue CID:240470,240473,240480 drivers/net/wireless/scsc/hip4_smapper.c CID 240470 (#1 of 1): Out-of-bounds write (OVERRUN) 6. overrun-local: Overrunning array control->lookuptable of 10 bytes at byte offset 251 using index bank->bank (which evaluates to 251). CID 240473 (#1 of 1): Out-of-bounds read (OVERRUN) 4. overrun-local: Overrunning array control->lookuptable of 10 bytes at byte offset 10 using index bank_num (which evaluates to 10). drivers/misc/samsung/scsc/mxlogger.h CID 240480 (#1 of 1): Uninitialized scalar variable (UNINIT) 2. uninit_use_in_call: Using uninitialized value sync_r. Field sync_r.fw_time Change-Id: Id6d1a434518e401d1bf28cd8833514c82ac3652f Signed-off-by: Albert Cano Signed-off-by: Youngsoo Kim SCSC-Bug-Id: CBR-6 --- drivers/net/wireless/scsc/hip4_smapper.c | 19 ++++++++++++++++--- drivers/net/wireless/scsc/hip4_smapper.h | 1 + 2 files changed, 17 insertions(+), 3 deletions(-) diff --git a/drivers/net/wireless/scsc/hip4_smapper.c b/drivers/net/wireless/scsc/hip4_smapper.c index 4db284781822..5c5d369a32d3 100644 --- a/drivers/net/wireless/scsc/hip4_smapper.c +++ b/drivers/net/wireless/scsc/hip4_smapper.c @@ -22,12 +22,25 @@ static int hip4_smapper_alloc_bank(struct slsi_dev *sdev, struct hip4_priv *priv u16 i; struct hip4_smapper_bank *bank = &(priv)->smapper_banks[bank_name]; struct hip4_smapper_control *control = &(priv)->smapper_control; + int err; SLSI_DBG4_NODEV(SLSI_SMAPPER, "Init bank %d entry_size %d is_large %d\n", bank_name, entry_size, is_large); bank->entry_size = entry_size; - bank->bank = scsc_service_mifsmapper_alloc_bank(sdev->service, is_large, bank->entry_size, &bank->entries); - if(bank->bank < 0) - return bank->bank; + + /* function returns negative number if an error occurs, otherwise returns the bank number */ + err = scsc_service_mifsmapper_alloc_bank(sdev->service, is_large, bank->entry_size, &bank->entries); + if (err < 0) { + SLSI_DBG4_NODEV(SLSI_SMAPPER, "Error allocating bank %d\n", err); + return -ENOMEM; + } + + bank->bank = (u32)err; + if (bank->bank >= HIP4_SMAPPER_TOTAL_BANKS) { + scsc_service_mifsmapper_free_bank(sdev->service, bank->bank); + SLSI_DBG4_NODEV(SLSI_SMAPPER, "Incorrect bank_num %d\n", bank->bank); + return -ENOMEM; + } + bank->skbuff = kmalloc_array(bank->entries, sizeof(struct sk_buff *), GFP_KERNEL); bank->skbuff_dma = kmalloc_array(bank->entries, sizeof(dma_addr_t), diff --git a/drivers/net/wireless/scsc/hip4_smapper.h b/drivers/net/wireless/scsc/hip4_smapper.h index badcecf56a45..92270116da72 100644 --- a/drivers/net/wireless/scsc/hip4_smapper.h +++ b/drivers/net/wireless/scsc/hip4_smapper.h @@ -72,6 +72,7 @@ struct hip4_smapper_control { u32 *mbox_ptr; /* Mbox pointer */ spinlock_t smapper_lock; /* Lookup table to map the virtual bank mapping in wlan with the phy mapping in HW */ + /* Currently is safe to use this indexing as only WIFI is using smapper */ u8 lookuptable[HIP4_SMAPPER_TOTAL_BANKS]; }; -- 2.20.1