From 1da740e08a2d48012803a381108e0e8062cbd683 Mon Sep 17 00:00:00 2001 From: Takashi Iwai Date: Wed, 11 Mar 2020 09:47:13 +0100 Subject: prism54: Use scnprintf() for avoiding potential buffer overflow Since snprintf() returns the would-be-output size instead of the actual output size, the succeeding calls may go beyond the given buffer limit. Fix it by replacing with scnprintf(). Cc: Luis Chamberlain Signed-off-by: Takashi Iwai Signed-off-by: Kalle Valo --- drivers/net/wireless/intersil/prism54/oid_mgt.c | 34 ++++++++++++------------- 1 file changed, 17 insertions(+), 17 deletions(-) (limited to 'drivers/net/wireless/intersil') diff --git a/drivers/net/wireless/intersil/prism54/oid_mgt.c b/drivers/net/wireless/intersil/prism54/oid_mgt.c index 5705ad925a51..9fd307ca4b6d 100644 --- a/drivers/net/wireless/intersil/prism54/oid_mgt.c +++ b/drivers/net/wireless/intersil/prism54/oid_mgt.c @@ -780,17 +780,17 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) { switch (isl_oid[n].flags & OID_FLAG_TYPE) { case OID_TYPE_U32: - return snprintf(str, PRIV_STR_SIZE, "%u\n", r->u); + return scnprintf(str, PRIV_STR_SIZE, "%u\n", r->u); case OID_TYPE_BUFFER:{ struct obj_buffer *buff = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "size=%u\naddr=0x%X\n", buff->size, buff->addr); } break; case OID_TYPE_BSS:{ struct obj_bss *bss = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "age=%u\nchannel=%u\n" "capinfo=0x%X\nrates=0x%X\n" "basic_rates=0x%X\n", bss->age, @@ -801,9 +801,9 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) case OID_TYPE_BSSLIST:{ struct obj_bsslist *list = r->ptr; int i, k; - k = snprintf(str, PRIV_STR_SIZE, "nr=%u\n", list->nr); + k = scnprintf(str, PRIV_STR_SIZE, "nr=%u\n", list->nr); for (i = 0; i < list->nr; i++) - k += snprintf(str + k, PRIV_STR_SIZE - k, + k += scnprintf(str + k, PRIV_STR_SIZE - k, "bss[%u] :\nage=%u\nchannel=%u\n" "capinfo=0x%X\nrates=0x%X\n" "basic_rates=0x%X\n", @@ -819,23 +819,23 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) struct obj_frequencies *freq = r->ptr; int i, t; printk("nr : %u\n", freq->nr); - t = snprintf(str, PRIV_STR_SIZE, "nr=%u\n", freq->nr); + t = scnprintf(str, PRIV_STR_SIZE, "nr=%u\n", freq->nr); for (i = 0; i < freq->nr; i++) - t += snprintf(str + t, PRIV_STR_SIZE - t, + t += scnprintf(str + t, PRIV_STR_SIZE - t, "mhz[%u]=%u\n", i, freq->mhz[i]); return t; } break; case OID_TYPE_MLME:{ struct obj_mlme *mlme = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "id=0x%X\nstate=0x%X\ncode=0x%X\n", mlme->id, mlme->state, mlme->code); } break; case OID_TYPE_MLMEEX:{ struct obj_mlmeex *mlme = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "id=0x%X\nstate=0x%X\n" "code=0x%X\nsize=0x%X\n", mlme->id, mlme->state, mlme->code, mlme->size); @@ -843,7 +843,7 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) break; case OID_TYPE_ATTACH:{ struct obj_attachment *attach = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "id=%d\nsize=%d\n", attach->id, attach->size); @@ -851,7 +851,7 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) break; case OID_TYPE_SSID:{ struct obj_ssid *ssid = r->ptr; - return snprintf(str, PRIV_STR_SIZE, + return scnprintf(str, PRIV_STR_SIZE, "length=%u\noctets=%.*s\n", ssid->length, ssid->length, ssid->octets); @@ -860,13 +860,13 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) case OID_TYPE_KEY:{ struct obj_key *key = r->ptr; int t, i; - t = snprintf(str, PRIV_STR_SIZE, + t = scnprintf(str, PRIV_STR_SIZE, "type=0x%X\nlength=0x%X\nkey=0x", key->type, key->length); for (i = 0; i < key->length; i++) - t += snprintf(str + t, PRIV_STR_SIZE - t, + t += scnprintf(str + t, PRIV_STR_SIZE - t, "%02X:", key->key[i]); - t += snprintf(str + t, PRIV_STR_SIZE - t, "\n"); + t += scnprintf(str + t, PRIV_STR_SIZE - t, "\n"); return t; } break; @@ -874,11 +874,11 @@ mgt_response_to_str(enum oid_num_t n, union oid_res_t *r, char *str) case OID_TYPE_ADDR:{ unsigned char *buff = r->ptr; int t, i; - t = snprintf(str, PRIV_STR_SIZE, "hex data="); + t = scnprintf(str, PRIV_STR_SIZE, "hex data="); for (i = 0; i < isl_oid[n].size; i++) - t += snprintf(str + t, PRIV_STR_SIZE - t, + t += scnprintf(str + t, PRIV_STR_SIZE - t, "%02X:", buff[i]); - t += snprintf(str + t, PRIV_STR_SIZE - t, "\n"); + t += scnprintf(str + t, PRIV_STR_SIZE - t, "\n"); return t; } break; -- cgit v1.2.3 From bc1d50a1a485981784158c62b67c0268fdec5a10 Mon Sep 17 00:00:00 2001 From: "Gustavo A. R. Silva" Date: Mon, 24 Feb 2020 19:11:51 -0600 Subject: hostap: Replace zero-length array with flexible-array member The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare variable-length types such as these ones is a flexible array member[1][2], introduced in C99: struct foo { int stuff; struct boo array[]; }; By making use of the mechanism above, we will get a compiler warning in case the flexible array does not occur last in the structure, which will help us prevent some kind of undefined behavior bugs from being inadvertently introduced[3] to the codebase from now on. Also, notice that, dynamic memory allocations won't be affected by this change: "Flexible array members have incomplete type, and so the sizeof operator may not be applied. As a quirk of the original implementation of zero-length arrays, sizeof evaluates to zero."[1] This issue was found with the help of Coccinelle. [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html [2] https://github.com/KSPP/linux/issues/21 [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200225011151.GA30675@embeddedor --- drivers/net/wireless/intersil/hostap/hostap_common.h | 2 +- drivers/net/wireless/intersil/hostap/hostap_wlan.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'drivers/net/wireless/intersil') diff --git a/drivers/net/wireless/intersil/hostap/hostap_common.h b/drivers/net/wireless/intersil/hostap/hostap_common.h index 22543538239b..dd29a8e8d349 100644 --- a/drivers/net/wireless/intersil/hostap/hostap_common.h +++ b/drivers/net/wireless/intersil/hostap/hostap_common.h @@ -322,7 +322,7 @@ struct prism2_download_param { u32 addr; /* wlan card address */ u32 len; void __user *ptr; /* pointer to data in user space */ - } data[0]; + } data[]; }; #define PRISM2_MAX_DOWNLOAD_AREA_LEN 131072 diff --git a/drivers/net/wireless/intersil/hostap/hostap_wlan.h b/drivers/net/wireless/intersil/hostap/hostap_wlan.h index 487883fbb58c..dd2603d9b5d3 100644 --- a/drivers/net/wireless/intersil/hostap/hostap_wlan.h +++ b/drivers/net/wireless/intersil/hostap/hostap_wlan.h @@ -615,7 +615,7 @@ struct prism2_download_data { u32 addr; /* wlan card address */ u32 len; u8 *data; /* allocated data */ - } data[0]; + } data[]; }; -- cgit v1.2.3 From 645aa87fdfd9e608faba215677d92de9dba6dc22 Mon Sep 17 00:00:00 2001 From: "Gustavo A. R. Silva" Date: Mon, 24 Feb 2020 19:14:15 -0600 Subject: orinoco: Replace zero-length array with flexible-array member The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare variable-length types such as these ones is a flexible array member[1][2], introduced in C99: struct foo { int stuff; struct boo array[]; }; By making use of the mechanism above, we will get a compiler warning in case the flexible array does not occur last in the structure, which will help us prevent some kind of undefined behavior bugs from being inadvertently introduced[3] to the codebase from now on. Also, notice that, dynamic memory allocations won't be affected by this change: "Flexible array members have incomplete type, and so the sizeof operator may not be applied. As a quirk of the original implementation of zero-length arrays, sizeof evaluates to zero."[1] This issue was found with the help of Coccinelle. [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html [2] https://github.com/KSPP/linux/issues/21 [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200225011415.GA31868@embeddedor --- drivers/net/wireless/intersil/orinoco/fw.c | 2 +- drivers/net/wireless/intersil/orinoco/hermes.h | 2 +- drivers/net/wireless/intersil/orinoco/hermes_dld.c | 6 +++--- drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) (limited to 'drivers/net/wireless/intersil') diff --git a/drivers/net/wireless/intersil/orinoco/fw.c b/drivers/net/wireless/intersil/orinoco/fw.c index 400a35217644..015af782881b 100644 --- a/drivers/net/wireless/intersil/orinoco/fw.c +++ b/drivers/net/wireless/intersil/orinoco/fw.c @@ -49,7 +49,7 @@ struct orinoco_fw_header { __le32 pdr_offset; /* Offset to PDR data from eof header */ __le32 pri_offset; /* Offset to primary plug data */ __le32 compat_offset; /* Offset to compatibility data*/ - char signature[0]; /* FW signature length headersize-20 */ + char signature[]; /* FW signature length headersize-20 */ } __packed; /* Check the range of various header entries. Return a pointer to a diff --git a/drivers/net/wireless/intersil/orinoco/hermes.h b/drivers/net/wireless/intersil/orinoco/hermes.h index 121fdd8e5da2..9f668185b7d2 100644 --- a/drivers/net/wireless/intersil/orinoco/hermes.h +++ b/drivers/net/wireless/intersil/orinoco/hermes.h @@ -341,7 +341,7 @@ struct agere_ext_scan_info { __le64 timestamp; __le16 beacon_interval; __le16 capabilities; - u8 data[0]; + u8 data[]; } __packed; #define HERMES_LINKSTATUS_NOT_CONNECTED (0x0000) diff --git a/drivers/net/wireless/intersil/orinoco/hermes_dld.c b/drivers/net/wireless/intersil/orinoco/hermes_dld.c index 4a10b7aca043..dbeadfcfefe2 100644 --- a/drivers/net/wireless/intersil/orinoco/hermes_dld.c +++ b/drivers/net/wireless/intersil/orinoco/hermes_dld.c @@ -64,7 +64,7 @@ struct dblock { __le32 addr; /* adapter address where to write the block */ __le16 len; /* length of the data only, in bytes */ - char data[0]; /* data to be written */ + char data[]; /* data to be written */ } __packed; /* @@ -76,7 +76,7 @@ struct pdr { __le32 id; /* record ID */ __le32 addr; /* adapter address where to write the data */ __le32 len; /* expected length of the data, in bytes */ - char next[0]; /* next PDR starts here */ + char next[]; /* next PDR starts here */ } __packed; /* @@ -87,7 +87,7 @@ struct pdr { struct pdi { __le16 len; /* length of ID and data, in words */ __le16 id; /* record ID */ - char data[0]; /* plug data */ + char data[]; /* plug data */ } __packed; /*** FW data block access functions ***/ diff --git a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c index e753f43e0162..a77bbcd544d6 100644 --- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c +++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c @@ -202,7 +202,7 @@ struct ezusb_packet { __le16 crc; /* CRC up to here */ __le16 hermes_len; __le16 hermes_rid; - u8 data[0]; + u8 data[]; } __packed; /* Table of devices that work or may work with this driver */ -- cgit v1.2.3 From 7b9307134058cefb9c2416266a7ae6fc4af57915 Mon Sep 17 00:00:00 2001 From: "Gustavo A. R. Silva" Date: Mon, 24 Feb 2020 19:18:46 -0600 Subject: p54: Replace zero-length array with flexible-array member The current codebase makes use of the zero-length array language extension to the C90 standard, but the preferred mechanism to declare variable-length types such as these ones is a flexible array member[1][2], introduced in C99: struct foo { int stuff; struct boo array[]; }; By making use of the mechanism above, we will get a compiler warning in case the flexible array does not occur last in the structure, which will help us prevent some kind of undefined behavior bugs from being inadvertently introduced[3] to the codebase from now on. Also, notice that, dynamic memory allocations won't be affected by this change: "Flexible array members have incomplete type, and so the sizeof operator may not be applied. As a quirk of the original implementation of zero-length arrays, sizeof evaluates to zero."[1] This issue was found with the help of Coccinelle. [1] https://gcc.gnu.org/onlinedocs/gcc/Zero-Length.html [2] https://github.com/KSPP/linux/issues/21 [3] commit 76497732932f ("cxgb3/l2t: Fix undefined behaviour") Signed-off-by: Gustavo A. R. Silva Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200225011846.GA2773@embeddedor --- drivers/net/wireless/intersil/p54/eeprom.h | 8 ++++---- drivers/net/wireless/intersil/p54/lmac.h | 6 +++--- drivers/net/wireless/intersil/p54/p54.h | 2 +- 3 files changed, 8 insertions(+), 8 deletions(-) (limited to 'drivers/net/wireless/intersil') diff --git a/drivers/net/wireless/intersil/p54/eeprom.h b/drivers/net/wireless/intersil/p54/eeprom.h index b8f46883a292..1d0aaf54389a 100644 --- a/drivers/net/wireless/intersil/p54/eeprom.h +++ b/drivers/net/wireless/intersil/p54/eeprom.h @@ -24,7 +24,7 @@ struct pda_entry { __le16 len; /* includes both code and data */ __le16 code; - u8 data[0]; + u8 data[]; } __packed; struct eeprom_pda_wrap { @@ -32,7 +32,7 @@ struct eeprom_pda_wrap { __le16 pad; __le16 len; __le32 arm_opcode; - u8 data[0]; + u8 data[]; } __packed; struct p54_iq_autocal_entry { @@ -87,7 +87,7 @@ struct pda_pa_curve_data { u8 channels; u8 points_per_channel; u8 padding; - u8 data[0]; + u8 data[]; } __packed; struct pda_rssi_cal_ext_entry { @@ -119,7 +119,7 @@ struct pda_custom_wrapper { __le16 entry_size; __le16 offset; __le16 len; - u8 data[0]; + u8 data[]; } __packed; /* diff --git a/drivers/net/wireless/intersil/p54/lmac.h b/drivers/net/wireless/intersil/p54/lmac.h index e00761536cfc..8adde6ba35ab 100644 --- a/drivers/net/wireless/intersil/p54/lmac.h +++ b/drivers/net/wireless/intersil/p54/lmac.h @@ -81,7 +81,7 @@ struct p54_hdr { __le16 type; /* enum p54_control_frame_types */ u8 rts_tries; u8 tries; - u8 data[0]; + u8 data[]; } __packed; #define GET_REQ_ID(skb) \ @@ -176,7 +176,7 @@ struct p54_rx_data { u8 rssi_raw; __le32 tsf32; __le32 unalloc0; - u8 align[0]; + u8 align[]; } __packed; enum p54_trap_type { @@ -267,7 +267,7 @@ struct p54_tx_data { } __packed normal; } __packed; u8 unalloc2[2]; - u8 align[0]; + u8 align[]; } __packed; /* unit is ms */ diff --git a/drivers/net/wireless/intersil/p54/p54.h b/drivers/net/wireless/intersil/p54/p54.h index 0a9c1a19380f..3356ea708d81 100644 --- a/drivers/net/wireless/intersil/p54/p54.h +++ b/drivers/net/wireless/intersil/p54/p54.h @@ -126,7 +126,7 @@ struct p54_cal_database { size_t entry_size; size_t offset; size_t len; - u8 data[0]; + u8 data[]; }; #define EEPROM_READBACK_LEN 0x3fc -- cgit v1.2.3 From 3af4da165f487a3956fe5a7b4ee08b12c7a3a9af Mon Sep 17 00:00:00 2001 From: YueHaibing Date: Thu, 26 Mar 2020 11:24:32 +0800 Subject: hostap: convert to struct proc_ops commit 97a32539b956 ("proc: convert everything to "struct proc_ops"") forget do this convering for prism2_download_aux_dump_proc_fops. Fixes: 97a32539b956 ("proc: convert everything to "struct proc_ops"") Signed-off-by: YueHaibing Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20200326032432.20384-1-yuehaibing@huawei.com --- drivers/net/wireless/intersil/hostap/hostap_download.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'drivers/net/wireless/intersil') diff --git a/drivers/net/wireless/intersil/hostap/hostap_download.c b/drivers/net/wireless/intersil/hostap/hostap_download.c index 8722000b6c27..7c6a5a6d1d45 100644 --- a/drivers/net/wireless/intersil/hostap/hostap_download.c +++ b/drivers/net/wireless/intersil/hostap/hostap_download.c @@ -232,11 +232,11 @@ static int prism2_download_aux_dump_proc_open(struct inode *inode, struct file * return ret; } -static const struct file_operations prism2_download_aux_dump_proc_fops = { - .open = prism2_download_aux_dump_proc_open, - .read = seq_read, - .llseek = seq_lseek, - .release = seq_release_private, +static const struct proc_ops prism2_download_aux_dump_proc_ops = { + .proc_open = prism2_download_aux_dump_proc_open, + .proc_read = seq_read, + .proc_lseek = seq_lseek, + .proc_release = seq_release_private, }; -- cgit v1.2.3