diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2015-11-26 11:55:23 (GMT) |
---|---|---|
committer | Kalle Valo <kvalo@codeaurora.org> | 2015-11-30 12:57:49 (GMT) |
commit | 952348a5f88b92e412f3e490fb83acc17e68d85c (patch) | |
tree | 611ae3c4c1b1d12cf2949648b803f9d673c64071 /drivers/net/wireless/ralink/rt2x00 | |
parent | 5536f20a1c43417901e5bb66d62c38853e070be5 (diff) | |
download | linux-952348a5f88b92e412f3e490fb83acc17e68d85c.tar.xz |
rt2x00: type bug in _rt2500usb_register_read()
This code causes a static checker bug.
drivers/net/wireless/ralink/rt2x00/rt2500usb.c:232 _rt2500usb_register_read()
warn: passing casted pointer 'value' to 'rt2500usb_register_read()' 32 vs 16.
If the low 16 bits were initialized to zero then this code would only be
a problem on big endian systems. But in this case this is case the low
16 bits are never initialized. This is called from a function which is
created using a macro:
RT2X00DEBUGFS_OPS(csr, "0x%.8x\n", u32);
We end up copying uninitialized data to the user which is bogus and an
information leak.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Stanislaw Gruszka <sgruszka@redhat.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Diffstat (limited to 'drivers/net/wireless/ralink/rt2x00')
-rw-r--r-- | drivers/net/wireless/ralink/rt2x00/rt2500usb.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c index b50d873..d26018f 100644 --- a/drivers/net/wireless/ralink/rt2x00/rt2500usb.c +++ b/drivers/net/wireless/ralink/rt2x00/rt2500usb.c @@ -229,7 +229,10 @@ static void _rt2500usb_register_read(struct rt2x00_dev *rt2x00dev, const unsigned int offset, u32 *value) { - rt2500usb_register_read(rt2x00dev, offset, (u16 *)value); + u16 tmp; + + rt2500usb_register_read(rt2x00dev, offset, &tmp); + *value = tmp; } static void _rt2500usb_register_write(struct rt2x00_dev *rt2x00dev, |