From patchwork Thu Apr 13 17:05:04 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Matthias Kaehlcke <mka@chromium.org>
X-Patchwork-Id: 9679753
X-Patchwork-Delegate: johannes@sipsolutions.net
Return-Path: <linux-wireless-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	9AA6360381 for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 13 Apr 2017 17:05:35 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 88BA02864C
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 13 Apr 2017 17:05:35 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 7DAF2286AA; Thu, 13 Apr 2017 17:05:35 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=2.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=unavailable version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B16A1286A7
	for <patchwork-linux-wireless@patchwork.kernel.org>;
	Thu, 13 Apr 2017 17:05:33 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753678AbdDMRF0 (ORCPT
	<rfc822;patchwork-linux-wireless@patchwork.kernel.org>);
	Thu, 13 Apr 2017 13:05:26 -0400
Received: from mail-pg0-f54.google.com ([74.125.83.54]:36156 "EHLO
	mail-pg0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755031AbdDMRFY (ORCPT
	<rfc822;linux-wireless@vger.kernel.org>);
	Thu, 13 Apr 2017 13:05:24 -0400
Received: by mail-pg0-f54.google.com with SMTP id g2so33061585pge.3
	for <linux-wireless@vger.kernel.org>;
	Thu, 13 Apr 2017 10:05:18 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=iXhfoTPP7Y/qrN/88wmdBfyVr7He/6AUcECmnuiEh8I=;
	b=ln9HAEZnUTHEeFTKDr6uztlbIy2/M4lcjXThmSvXb4US0jvEwiJbWEAN/7XsQj7pMo
	fbrDrQ+fABNkeE1uojrb7iWzR+ZT2gdsfrdhtH2lHz0/N6t7M8u7bi8HFNI0nzaBmnmp
	9Ym2hstY6OCB5AlmfJWQqOCcxTzr7UMULKAMeunW6BPaVmSq46S2QExjhSv53l1Jz6Mu
	8FSk2iw8v9P+AcpRFmdvwJ5Eah2BSH7TeITUM51X2+ymoM7xOPue8vsrSbaIvFWPcoVV
	1q67NLa2KQjrXxv1Dr4MEVfu9pWg54zg7zZQ5Kgw+Q6hdvoYypbRie3vk+sAkF+HdjNV
	v0+Q==
X-Gm-Message-State: AN3rC/4FWuceKfJopsJUnK8P/wdW8KwQqATXdkalZ6ou1HtGDW8Kg0VY
	4EL8mK6uojIcNuJu
X-Received: by 10.84.225.1 with SMTP id t1mr5046644plj.118.1492103113201;
	Thu, 13 Apr 2017 10:05:13 -0700 (PDT)
Received: from mka.mtv.corp.google.com ([172.22.64.162])
	by smtp.gmail.com with ESMTPSA id
	s20sm43643552pfg.11.2017.04.13.10.05.12
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Thu, 13 Apr 2017 10:05:12 -0700 (PDT)
From: Matthias Kaehlcke <mka@chromium.org>
To: Johannes Berg <johannes@sipsolutions.net>,
	"David S . Miller" <davem@davemloft.net>, Felix Fietkau <nbd@openwrt.org>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
	linux-wireless@vger.kernel.org, grundler@chromium.org,
	Greg Hackmann <ghackmann@google.com>, Michael Davidson <md@google.com>,
	Matthias Kaehlcke <mka@chromium.org>
Subject: [PATCH v2] cfg80211: Fix array-bounds warning in fragment copy
Date: Thu, 13 Apr 2017 10:05:04 -0700
Message-Id: <20170413170504.110612-1-mka@chromium.org>
X-Mailer: git-send-email 2.12.2.715.g7642488e1d-goog
Sender: linux-wireless-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wireless.vger.kernel.org>
X-Mailing-List: linux-wireless@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

__ieee80211_amsdu_copy_frag intentionally initializes a pointer to
array[-1] to increment it later to valid values. clang rightfully
generates an array-bounds warning on the initialization statement.

Initialize the pointer to array[0] and change the algorithm from
increment before to increment after consume.

Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
---
Note: Resent to include linux-wireless in cc

 net/wireless/util.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/wireless/util.c b/net/wireless/util.c
index 68e5f2ecee1a..52795ae5337f 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -659,7 +659,7 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
 			    int offset, int len)
 {
 	struct skb_shared_info *sh = skb_shinfo(skb);
-	const skb_frag_t *frag = &sh->frags[-1];
+	const skb_frag_t *frag = &sh->frags[0];
 	struct page *frag_page;
 	void *frag_ptr;
 	int frag_len, frag_size;
@@ -672,10 +672,10 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
 
 	while (offset >= frag_size) {
 		offset -= frag_size;
-		frag++;
 		frag_page = skb_frag_page(frag);
 		frag_ptr = skb_frag_address(frag);
 		frag_size = skb_frag_size(frag);
+		frag++;
 	}
 
 	frag_ptr += offset;
@@ -687,12 +687,12 @@ __ieee80211_amsdu_copy_frag(struct sk_buff *skb, struct sk_buff *frame,
 	len -= cur_len;
 
 	while (len > 0) {
-		frag++;
 		frag_len = skb_frag_size(frag);
 		cur_len = min(len, frag_len);
 		__frame_add_frag(frame, skb_frag_page(frag),
 				 skb_frag_address(frag), cur_len, frag_len);
 		len -= cur_len;
+		frag++;
 	}
 }