lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <26b15f4702cef17fe70b496a62f03735874bd16a.camel@sipsolutions.net> Date: Tue, 24 Oct 2023 22:11:38 +0200 From: Johannes Berg <johannes@...solutions.net> To: "Gustavo A. R. Silva" <gustavo@...eddedor.com>, Kalle Valo <kvalo@...nel.org>, Jeff Johnson <quic_jjohnson@...cinc.com> Cc: ath10k@...ts.infradead.org, linux-wireless@...r.kernel.org, linux-kernel@...r.kernel.org, "Gustavo A. R. Silva" <gustavoars@...nel.org>, linux-hardening@...r.kernel.org Subject: Re: [RFC - is this a bug?] wifi: ath10k: Asking for some light on this, please :) On Tue, 2023-10-24 at 13:50 -0600, Gustavo A. R. Silva wrote: > Hi all, > > While working on tranforming one-element array `peer_chan_list` in > `struct wmi_tdls_peer_capabilities` into a flex-array member > > 7187 struct wmi_tdls_peer_capabilities { > ... > 7199 struct wmi_channel peer_chan_list[1]; > 7200 } __packed; > > the following line caught my attention: > > ./drivers/net/wireless/ath/ath10k/wmi.c: > 8920 memset(skb->data, 0, sizeof(*cmd)); > > Notice that before the flex-array transformation, we are zeroing 128 > bytes in `skb->data` because `sizeof(*cmd) == 128`, see below: > So, my question is: do we really need to zero out those extra 24 bytes in > `skb->data`? or is it rather a bug in the original code? > If we look a step further, I _think_ even that memset is unnecessary? struct sk_buff *ath10k_wmi_alloc_skb(struct ath10k *ar, u32 len) { struct sk_buff *skb; u32 round_len = roundup(len, 4); skb = ath10k_htc_alloc_skb(ar, WMI_SKB_HEADROOM + round_len); if (!skb) return NULL; skb_reserve(skb, WMI_SKB_HEADROOM); if (!IS_ALIGNED((unsigned long)skb->data, 4)) ath10k_warn(ar, "Unaligned WMI skb\n"); skb_put(skb, round_len); memset(skb->data, 0, round_len); return skb; } So shouldn't the outgoing skb be exactly the same? Anyway, just looking at the code out of curiosity, I don't actually know anything about this driver :) johannes
Powered by blists - more mailing lists