search

KSPP / linux

Linux kernel source tree (Kernel Self Protection Project)
https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
Other
80 stars 5 forks source link

Replace fake-flex arrays with flex-array members in drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h #334

Closed GustavoARSilva closed 4 months ago

GustavoARSilva commented 11 months ago 
ess/broadcom/brcm80211/brcmfmac/fwil_types.h
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fwil_types.h
@@ -398,7 +398,7 @@ struct brcmf_scan_params_le {
                                 * fixed parameter portion is assumed, otherwise
                                 * ssid in the fixed portion is ignored
                                 */
-       __le16 channel_list[1]; /* list of chanspecs */
+       __le16 channel_list[];  /* list of chanspecs */
 };

 struct brcmf_scan_params_v2_le {
@@ -437,7 +437,7 @@ struct brcmf_scan_params_v2_le {
                                 * fixed parameter portion is assumed, otherwise
                                 * ssid in the fixed portion is ignored
                                 */
-       __le16 channel_list[1]; /* list of chanspecs */
+       __le16 channel_list[];  /* list of chanspecs */
 };

 struct brcmf_scan_results {
@@ -476,7 +476,7 @@ struct brcmf_assoc_params_le {
         * chanspec_list */
        __le32 chanspec_num;
        /* list of chanspecs */
-       __le16 chanspec_list[1];
+       __le16 chanspec_list[];
 };

 /**
@@ -697,7 +697,7 @@ struct brcmf_sta_info_le {

 struct brcmf_chanspec_list {
        __le32  count;          /* # of entries */
-       __le32  element[1];     /* variable length uint32 list */
+       __le32 element[];       /* variable length uint32 list */
 };

 /*
kees commented 5 months ago

Partially fixed by commit 4fed494abcd4fde5c24de19160e93814f912fdb3 and 16e455a465fca91907af0108f3d013150386df30.

Remaining:

GustavoARSilva commented 5 months ago
  • brcmf_assoc_params_le

It seems the one-element array in this struct isn't currently used as a fake flex array.

I haven't found any instances of it being indexed beyond index 0 or an access to it through any mechanism like memcpy() or memset() (beyond its only element).

kees commented 4 months ago

Ah-ha, well in that case we can close this bug. :)