From a1264e5feaa9f1137bc8739672067b981b35eeae Mon Sep 17 00:00:00 2001 From: Yu Tian Date: Mon, 10 Aug 2020 15:51:00 +0800 Subject: [PATCH] qcacmn: Fix static code analysis issues in DP hdr_ptr is in skb_buffer data, it's assigned with 6B array, use uint8_t point convert to avoid SA overflow warnning. tid has asseration protect, but need to break execute to avoid of SA warnning Fix use-after-free of ast_entry Change-Id: I0835f93291cf3da2b4fd57d8c9a90f20a60c11ee CRs-Fixed: 2751678 --- dp/wifi3.0/dp_rx_defrag.c | 1 + dp/wifi3.0/dp_tx.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/dp/wifi3.0/dp_rx_defrag.c b/dp/wifi3.0/dp_rx_defrag.c index cc7f0d6d24..582d280d18 100644 --- a/dp/wifi3.0/dp_rx_defrag.c +++ b/dp/wifi3.0/dp_rx_defrag.c @@ -1632,6 +1632,7 @@ dp_rx_defrag_store_fragment(struct dp_soc *soc, if (tid >= DP_MAX_TIDS) { dp_info("TID out of bounds: %d", tid); qdf_assert_always(0); + goto discard_frag; } pdev = peer->vdev->pdev; diff --git a/dp/wifi3.0/dp_tx.c b/dp/wifi3.0/dp_tx.c index acbe58a9a0..2c3ef1a3ac 100644 --- a/dp/wifi3.0/dp_tx.c +++ b/dp/wifi3.0/dp_tx.c @@ -1411,7 +1411,7 @@ static void dp_tx_get_tid(struct dp_vdev *vdev, qdf_nbuf_t nbuf, DP_TX_TID_OVERRIDE(msdu_info, nbuf); if (qdf_likely(vdev->tx_encap_type != htt_cmn_pkt_type_raw)) { eh = (qdf_ether_header_t *)nbuf->data; - hdr_ptr = eh->ether_dhost; + hdr_ptr = (uint8_t *)(eh->ether_dhost); L3datap = hdr_ptr + sizeof(qdf_ether_header_t); } else { qdf_dot3_qosframe_t *qos_wh =